3

I sometimes use user data in php function header like this :

header('Location : test' . $user_data);

I used to remove \n and \r to prevent header injection but is there any other new lines characters ? I wrote Location in my example, but it can be something else, I know I have to validate and sanitize URL, my question is about new lines in header.

rap-2-h
  • 30,204
  • 37
  • 167
  • 263
  • 2
    By the way, `Location: ` header must be an absolute URL (i.e. it must start from `http://` or whatever protocol you're going to use) – galymzhan Jul 06 '12 at 13:38
  • 4
    Relative `Location:` headers, although against RFC, work as expected with virtually all browsers. – lanzz Jul 06 '12 at 13:41
  • I don't understand : `header('Location: test.php');` seems to work (I've just tried), I can use relative URL (PHP/Apache) – rap-2-h Jul 06 '12 at 13:44
  • @raina77ow : thanks ! I didn't noticed that. PHP send a warning (I've just tried), and no redirection has been made. – rap-2-h Jul 06 '12 at 13:49
  • 1
    rap-2-h, just because relative paths work with your browser doesn't mean they will work everywhere (web browsers aren't the only applications that browse the web [e.g. search engine bots]). – 0b10011 Jul 06 '12 at 13:50

1 Answers1

4

Quoting the doc:

(since 4.4.2 and 5.1.2) This function now prevents more than one header to be sent at once as a protection against header injection attacks.

So I suppose even that CRLF replacement you've already did is not necessary.

raina77ow
  • 103,633
  • 15
  • 192
  • 229
  • 2
    (Assuming >4.4.2 or >5.1.2 is being used.) – 0b10011 Jul 06 '12 at 13:51
  • 2
    Yes, but then you go on to say "So I suppose even that CRLF replacement you've already did is not necessary." which is making that assumption, so if someone skips the quote, they'll assume they don't have to do it either (people don't read haha). – 0b10011 Jul 06 '12 at 13:52
  • thanks ! I didn't noticed that. PHP send a warning (I've just tried), and no redirection has been made (but my question is still valid, because my application is PHP 5.1.X compatible, so I can't accept your response right now (maybe later, I voted +1 for now)) – rap-2-h Jul 06 '12 at 13:53
  • 2
    I know it's old, but I just found out today (6 jan 2017), using PHP 5.2.17, that PHP allows multi line header using CR only (\r, ASCII 13, %0D), which unfortunately it is treated by Chrome browser as a new line, allowing header injection. I hope it is useful to someone checking out this page. – elfan Jan 06 '17 at 08:14