PHP Incorrect Header Parsing Vulnerability in HTTP Stream Wrapper

A vulnerability exists in PHP versions 8.1.* prior to 8.1.32, 8.2.* prior to 8.2.28, 8.3.* prior to 8.3.19, and 8.4.* prior to 8.4.5. When the HTTP request module processes responses from a server, it incorrectly handles folded headers. This mismanagement can lead to a wrong interpretation of the response, causing the application to use incorrect headers, MIME types, and more. The issue arises because the header parser does not recognize that a header line starting with whitespace continues the previous header, treating each newline as a separate header separator. As a result, the 'STREAM_NOTIFY_MIME_TYPE_IS' notification may report an inaccurate MIME type if the 'content-type' header is folded. Additionally, the '$http_response_header' array will include header continuation lines as they were received, requiring userland code to account for folded headers, which violates RFC9112.

Impact

Exploitation of this vulnerability could result in the incorrect interpretation of HTTP responses, such as misreporting MIME types or improperly parsing response headers, which could lead to data being added or modified.

Reproduction

The vulnerability can be reproduced by sending an HTTP response with a folded 'Content-Type' header. The 'http' stream context can be set up to use a notification callback that will receive the MIME type notification. When the response is processed, the incorrect MIME type will be reported, missing any folded header information. The raw response headers will also be available, including the continuation lines that were not properly parsed, requiring additional handling in userland code.

Remediation

Users should upgrade to PHP versions 8.1.32, 8.2.28, 8.3.19, or 8.4.5.