Skip to content

ext/soap: truncate a user_agent containing newline characters#22771

Merged
iliaal merged 1 commit into
php:masterfrom
iliaal:fix/soap-user-agent-header-injection
Jul 17, 2026
Merged

ext/soap: truncate a user_agent containing newline characters#22771
iliaal merged 1 commit into
php:masterfrom
iliaal:fix/soap-user-agent-header-injection

Conversation

@iliaal

@iliaal iliaal commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

GH-17976 (#21658) sanitized user_agent where the HTTP wrapper emits headers and left the SOAP client alone, so CRLF in the value still injects request headers. Verified against a mock server on master: ini_set('user_agent', "ua\r\nX-Injected: yes") puts a real X-Injected: yes on the wire. A NUL-prefixed value ("ua\0valid\r\n...") injects too now that 21658 made the ini global a zend_string, where the old char* form truncated at the NUL.

Three sources feed that sink unchecked (the SoapClient user_agent option, the http.user_agent context option, and the ini), so this resolves them to one zend_string and emits through the same truncate-and-warn check the HTTP wrapper uses. The two user-zval sources were already length-aware and injected before 21658, so 8.4 and 8.5 are affected as well.

The helper mirrors smart_str_append_header_value() rather than exporting it from ext/standard, which would add API surface there for a soap fix; the duplication keeps behaviour identical for the same ini across both clients.

phpGH-17976 sanitized user_agent where the HTTP wrapper emits headers and left
the SOAP client alone, so a value carrying CRLF still injects request headers
through all three of its sources: the SoapClient user_agent option, the
http.user_agent stream context option, and the ini setting. Resolve the three
to one zend_string and emit it through the same truncate-and-warn check the
HTTP wrapper applies.

Closes phpGH-22771
@iliaal
iliaal merged commit 3dcdb98 into php:master Jul 17, 2026
33 of 34 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants