Cherry-pick 4cc7476

Headers: forbid \r and \n also after \0, allow CRLF followed by HT or SP and forbid \0. See bug #60227.

Conflicts:

	ext/standard/tests/general_functions/bug60227.phpt
	ext/standard/tests/general_functions/bug60227_1.phpt
	ext/standard/tests/general_functions/bug60227_2.phpt
	main/SAPI.c

Author: johannes

ext/standard/tests/general_functions/bug60227_1.phpt

@@ -10,7 +10,7 @@ header("X-Foo5: e\rSet-Cookie: ID=123");
 echo 'foo';
 ?>
 --EXPECTF--
-Warning: Header may not contain more than a single header, new line detected. in %s on line %d
+Warning: Header may not contain more than a single header, new line detected in %s on line %d
 foo
 --EXPECTHEADERS--
 X-Foo1: a

ext/standard/tests/general_functions/bug60227_2.phpt

@@ -7,7 +7,7 @@ header("X-Foo6: e\rSet-Cookie: ID=123\n d");
 echo 'foo';
 ?>
 --EXPECTF--
-Warning: Header may not contain more than a single header, new line detected. in %s on line %d
+Warning: Header may not contain more than a single header, new line detected in %s on line %d
 foo
 --EXPECTHEADERS--
 X-foo: e

ext/standard/tests/general_functions/bug60227_3.phpt

@@ -0,0 +1,14 @@
+--TEST--
+Bug #60227 (header() cannot detect the multi-line header with CR), \0 before \n
+--FILE--
+<?php
+header("X-foo: e\n foo");
+header("X-Foo6: e\0Set-Cookie: ID=\n123\n d");
+echo 'foo';
+?>
+--EXPECTF--
+Warning: Header may not contain NUL bytes in %s on line %d
+foo
+--EXPECTHEADERS--
+X-foo: e
+foo

ext/standard/tests/general_functions/bug60227_4.phpt

@@ -0,0 +1,14 @@
+--TEST--
+Bug #60227 (header() cannot detect the multi-line header with CR), CRLF
+--FILE--
+<?php
+header("X-foo: e\r\n foo");
+header("X-foo: e\r\nfoo");
+echo 'foo';
+?>
+--EXPECTF--
+Warning: Header may not contain more than a single header, new line detected in %s on line %d
+foo
+--EXPECTHEADERS--
+X-foo: e
+ foo

main/SAPI.c

@@ -590,17 +590,26 @@ SAPI_API int sapi_header_op(sapi_header_op_enum op, void *arg TSRMLS_DC)
 			return FAILURE;
 		}
 	} else {
-		/* new line safety check */
-		char *s = header_line;
-		while (s = strpbrk(s, "\n\r")) {
-			if (s[1] == ' ' || s[1] == '\t') {
-				/* RFC 2616 allows new lines if followed by SP or HT */
-				s++;
-				continue;
+		/* new line/NUL character safety check */
+		int i;
+		for (i = 0; i < header_line_len; i++) {
+			/* RFC 2616 allows new lines if followed by SP or HT */
+			int illegal_break =
+					(header_line[i+1] != ' ' && header_line[i+1] != '\t')
+					&& (
+						header_line[i] == '\n'
+						|| (header_line[i] == '\r' && header_line[i+1] != '\n'));
+			if (illegal_break) {
+				efree(header_line);
+				sapi_module.sapi_error(E_WARNING, "Header may not contain "
+						"more than a single header, new line detected");
+				return FAILURE;
+			}
+			if (header_line[i] == '\0') {
+				efree(header_line);
+				sapi_module.sapi_error(E_WARNING, "Header may not contain NUL bytes");
+				return FAILURE;
 			}
-			efree(header_line);
-			sapi_module.sapi_error(E_WARNING, "Header may not contain more than a single header, new line detected.");
-			return FAILURE;
 		}
 	}