ext/soap: truncate a user_agent containing newline characters#22771
Merged
Conversation
phpGH-17976 sanitized user_agent where the HTTP wrapper emits headers and left the SOAP client alone, so a value carrying CRLF still injects request headers through all three of its sources: the SoapClient user_agent option, the http.user_agent stream context option, and the ini setting. Resolve the three to one zend_string and emit it through the same truncate-and-warn check the HTTP wrapper applies. Closes phpGH-22771
iliaal
force-pushed
the
fix/soap-user-agent-header-injection
branch
from
July 16, 2026 17:59
eaecc75 to
5270e3e
Compare
devnexen
approved these changes
Jul 17, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
GH-17976 (#21658) sanitized
user_agentwhere the HTTP wrapper emits headers and left the SOAP client alone, so CRLF in the value still injects request headers. Verified against a mock server on master:ini_set('user_agent', "ua\r\nX-Injected: yes")puts a realX-Injected: yeson the wire. A NUL-prefixed value ("ua\0valid\r\n...") injects too now that 21658 made the ini global a zend_string, where the old char* form truncated at the NUL.Three sources feed that sink unchecked (the SoapClient
user_agentoption, thehttp.user_agentcontext option, and the ini), so this resolves them to one zend_string and emits through the same truncate-and-warn check the HTTP wrapper uses. The two user-zval sources were already length-aware and injected before 21658, so 8.4 and 8.5 are affected as well.The helper mirrors
smart_str_append_header_value()rather than exporting it from ext/standard, which would add API surface there for a soap fix; the duplication keeps behaviour identical for the same ini across both clients.