[27020] in bugtraq
Re: PHP fopen() CRLF Injection
daemon@ATHENA.MIT.EDU (Stefan Esser)
Thu Sep 12 15:14:37 2002
Date: Thu, 12 Sep 2002 19:55:25 +0200
From: Stefan Esser <sesser@php.net>
To: bugtraq@securityfocus.com
Message-ID: <20020912175525.GA21430@php.net>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="T4sUOijqQbZv57TR"
Content-Disposition: inline
--T4sUOijqQbZv57TR
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hi,
> This issue has now been fixed in their CVS repository. This is the
> patch that they used:
I dislike calling my patch a fix. The problem you describe is not a
bug within PHP. One could call it an undocumented feature, that is
now gone with my patch. You cannot blame a programmer's error on the
language itself. Your fopen() thing does only occur if the programmer
does TWO stupid things: A) pass user input directly to a function
without proper validation, B) pass an url to a function that is not
an url. Any string that contains control chars cannot be a valid url.
Before you pass a string that should be an url to any function you
MUST urlencode() it. No need for your reg expression at all.
Following your idea I could blame the libc authors for implementing
strcpy() because misused it leads to bufferoverflows.
Just because PHP is easy (to learn) you cannot leave your
brain at home when programming for your company.=20
Stefan Esser=20
--T4sUOijqQbZv57TR
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Weitere Infos: siehe http://www.gnupg.org
iD8DBQE9gNUM1rB3BM9srmkRAmwsAJoCEWxe562p8RLW6PScj429EurvxQCguhTB
L5TkCD3HVn+8mCJJh9vKrUQ=
=7dTm
-----END PGP SIGNATURE-----
--T4sUOijqQbZv57TR--
