LP-2023-01: HTTP Multiline Header Termination Vulnerability
The package laminas/laminas-diactoros (Diactoros) is a PSR-7 HTTP Message and PSR-17 HTTP Message Factory implementation, providing HTTP request and response message representations both for making HTTP client requests and responding to HTTP requests server-side.
Affected versions of Diactoros accepted a single line feed (LF /
\n ) character at the end of a header name.
When serializing such a header name containing a line-feed into the on-the-wire representation of a HTTP/1.x message, the resulting message would be syntactically invalid, due to the header line being terminated too early.
An attacker that is able to control the header names that are passed to Diactoros would be able to intentionally craft invalid messages, possibly causing application errors or invalid HTTP requests being sent out with an PSR-18 HTTP client.
The latter might present a denial of service vector if a remote service’s web application firewall bans the application due to the receipt of malformed requests.
The following versions of Diactoros were affected:
We have provided a patch that modifies the validations of header names and values such that they now identify line feeds at the start and end of these strings, invalidating the values. The following new releases were made with this patch:
To mitigate this vulnerability without updating your libraries, you can pass header names and values accepted from user input to
trim() prior to passing them to HTTP messages:
$response = $response->withHeader(trim($headerName), trim($headerValue));
This patch is also known by the following identifiers:
The Laminas Project thanks
- Graham Campbell for reporting the issue and coordinating release with other PSR-7 implementations.
- Tim Düsterhus for developing and testing the patch used in Diactoros.