Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Header parser of `http` stream wrapper does not handle folded headers

Moderate
bukka publishedGHSA-v8xr-gpvj-cx9gMar 13, 2025

Package

No package listed

Affected versions

< 8.1.32
< 8.2.28
< 8.3.18
< 8.4.5

Patched versions

8.1.32
8.2.28
8.3.19
8.4.5

Description

Summary

The header parser of thehttp stream wrapper does not handle folded headers and passes incorrect MIME types to an attached stream notifier.

Details

The header parser of thehttp stream parser does not understand that a header line beginning with whitespace continues the previous header and instead considers every newline to be a header separator.

This has two consequences:

  1. TheSTREAM_NOTIFY_MIME_TYPE_IS notification might report an incorrect MIME type, if thecontent-type header is a folded header.
  2. The$http_response_header array contains the header continuation lines as they appear on-the-wire, requiring userland code to be aware of folded headers and violatingRFC9112#5.2, which specifies:

    A user agent that receives anobs-fold in a response message that is not within a "message/http" container MUST replace each receivedobs-fold with one or moreSP octets prior to interpreting the field value.

PoC

<?phpfunctionstream_notification_callback($notification_code,$severity,$message,$message_code,$bytes_transferred,$bytes_max) {switch($notification_code) {caseSTREAM_NOTIFY_MIME_TYPE_IS:echo"Found the mime-type:",$message,PHP_EOL;break;    }}$ctx =stream_context_create();stream_context_set_params($ctx,array("notification" =>"stream_notification_callback"));var_dump(file_get_contents("http://127.0.0.1:8080",false,$ctx));var_dump($http_response_header);

Running against:

printf "HTTP/1.0 200 Ok\r\nContent-Type: text/html;\r\n    charset=utf-8\r\n\r\nbody\r\n" |nc -l 0.0.0.0 8080

results in:

Found the mime-type: text/html;string(6) "body"array(3) {  [0]=>  string(15) "HTTP/1.0 200 Ok"  [1]=>  string(24) "Content-Type: text/html;"  [2]=>  string(17) "    charset=utf-8"}

being printed (after killingnc with Ctrl+C), thus missing thecharset within the mime type.

Impact

Users of thehttp stream wrapper might interpret the response with an incorrect MIME type and more generally might misparse the response, for example by incorrectly determining which response headers belong to the final response if a redirect happened.

Severity

Moderate

CVE ID

CVE-2025-1217

Weaknesses

No CWEs

Credits

[8]ページ先頭
©2009-2025 Movatter.jp