diff --git a/typo3/sysext/core/Classes/Http/Message.php b/typo3/sysext/core/Classes/Http/Message.php index 1197228cb3bba378c7f8cbf8b7a0c8630c8cd8e3..c28e2abdb16f778f9558db91042e65c0a28abb18 100644 --- a/typo3/sysext/core/Classes/Http/Message.php +++ b/typo3/sysext/core/Classes/Http/Message.php @@ -460,11 +460,8 @@ class Message implements MessageInterface { $value = (string)$value; - // Look for: - // \n not preceded by \r, OR - // \r not followed by \n, OR - // \r\n not followed by space or horizontal tab; these are all CRLF attacks - if (preg_match("#(?:(?:(?<!\r)\n)|(?:\r(?!\n))|(?:\r\n(?![ \t])))#", $value)) { + // Any occurence of \r or \n is invalid + if (strpbrk($value, "\r\n") !== false) { return false; } diff --git a/typo3/sysext/core/Classes/Utility/GeneralUtility.php b/typo3/sysext/core/Classes/Utility/GeneralUtility.php index 65ebca4ab98d8969c8a055cfefd2a0ecf926fa9a..b1b8b64df848ae43cc9ebeef4d44a1c6795863f9 100755 --- a/typo3/sysext/core/Classes/Utility/GeneralUtility.php +++ b/typo3/sysext/core/Classes/Utility/GeneralUtility.php @@ -3146,6 +3146,7 @@ Connection: close * * @param string $path URL / path to prepend full URL addressing to. * @return string + * @throws \InvalidArgumentException */ public static function locationHeaderUrl($path) { @@ -3157,6 +3158,10 @@ Connection: close // No scheme either $path = self::getIndpEnv('TYPO3_REQUEST_DIR') . $path; } + // Can be removed once minimum PHP requirement is at least 5.5.22 or 5.6.6 + if (strpbrk($path, "\r\n") !== false) { + throw new \InvalidArgumentException('HTTP header injection attempt in "' . $path . '"', 1448194036); + } return $path; } diff --git a/typo3/sysext/core/Tests/Unit/Http/MessageTest.php b/typo3/sysext/core/Tests/Unit/Http/MessageTest.php index 4d0f2552d6434468b808b95cc333ccdf753d68d2..a0562484aa70c46e9f4a56efe900537c26ba22d2 100644 --- a/typo3/sysext/core/Tests/Unit/Http/MessageTest.php +++ b/typo3/sysext/core/Tests/Unit/Http/MessageTest.php @@ -285,6 +285,8 @@ class MessageTest extends \TYPO3\CMS\Core\Tests\UnitTestCase 'array-value-with-lf' => ['X-Foo-Bar', ["value\ninjection"]], 'array-value-with-crlf' => ['X-Foo-Bar', ["value\r\ninjection"]], 'array-value-with-2crlf' => ['X-Foo-Bar', ["value\r\n\r\ninjection"]], + 'multi-line-header-space' => ['X-Foo-Bar', "value\r\n injection"], + 'multi-line-header-tab' => ['X-Foo-Bar', "value\r\n\tinjection"], ]; } @@ -308,21 +310,4 @@ class MessageTest extends \TYPO3\CMS\Core\Tests\UnitTestCase $this->message->withAddedHeader($name, $value); } - /** - * @test - */ - public function testWithHeaderAllowsHeaderContinuations() - { - $message = $this->message->withHeader('X-Foo-Bar', "value,\r\n second value"); - $this->assertEquals("value,\r\n second value", $message->getHeaderLine('X-Foo-Bar')); - } - - /** - * @test - */ - public function testWithAddedHeaderAllowsHeaderContinuations() - { - $message = $this->message->withAddedHeader('X-Foo-Bar', "value,\r\n second value"); - $this->assertEquals("value,\r\n second value", $message->getHeaderLine('X-Foo-Bar')); - } }