- Merging r323033 into 5.3 (see bug #60227).

15 years ago · 8e82bda330
4 changed files with 20 additions and 5 deletions
--- a/2
+++ b/2
@ -7,7 +7,7 @@ PHP                                                                        NEWS

 - Core:
  . Fixed bug #60227 (header() cannot detect the multi-line header with CR).
-    (rui)
+    (rui, Gustavo)
  . Fixed bug #60825 (Segfault when running symfony 2 tests).
    (Dmitry, Laruence)
  . Fix bug #60895 (Possible invalid handler usage in windows random
--- a/ext/standard/tests/general_functions/bug60227_1.phpt
+++ b/ext/standard/tests/general_functions/bug60227_1.phpt
--- a/ext/standard/tests/general_functions/bug60227_2.phpt
+++ b/ext/standard/tests/general_functions/bug60227_2.phpt
@ -0,0 +1,14 @@
+--TEST--
+Bug #60227 (header() cannot detect the multi-line header with CR), \r before \n
+--FILE--
+<?php
+header("X-foo: e\n foo");
+header("X-Foo6: e\rSet-Cookie: ID=123\n d");
+echo 'foo';
+?>
+--EXPECTF--
+Warning: Header may not contain more than a single header, new line detected. in %s on line %d
+foo
+--EXPECTHEADERS--
+X-foo: e
+foo
--- a/main/SAPI.c
+++ b/main/SAPI.c
@ -591,10 +591,11 @@ SAPI_API int sapi_header_op(sapi_header_op_enum op, void *arg TSRMLS_DC)
 		}
 	} else {
 		/* new line safety check */
-		char *s = header_line, *e = header_line + header_line_len, *p;
-		while (s < e && ((p = memchr(s, '\n', (e - s))) || (p = memchr(s, '\r', (e - s))))) {
-			if (*(p + 1) == ' ' || *(p + 1) == '\t') {
-				s = p + 1;
+		char *s = header_line;
+		while (s = strpbrk(s, "\n\r")) {
+			if (s[1] == ' ' || s[1] == '\t') {
+				/* RFC 2616 allows new lines if followed by SP or HT */
+				s++;
 				continue;
 			}
 			efree(header_line);