PHP DOM and SimpleXML Redirect Handling Charset Misinterpretation Vulnerability

A vulnerability exists in PHP versions prior to 8.1.32, prior to 8.2.28, prior to 8.3.19, and prior to 8.4.5. When using the DOM or SimpleXML extensions to request an HTTP resource that performs a redirect, the wrong content-type header is used to determine the charset. This issue arises because the HTTP stream wrapper does not clear the list of captured headers before following redirects, leading to a misalignment between the content-type and the actual resource being parsed. As a result, documents may be parsed incorrectly, potentially bypassing validations.

Impact

Exploitation of this vulnerability can cause documents to be parsed incorrectly, altering their meaning and possibly allowing validation bypasses. When such a document is exported using the saveHtml() method, it is returned with the original charset, which could further obscure the issue.

Reproduction

To reproduce this vulnerability, create a PHP file that sends a redirect response with a content-type header indicating a charset of utf-16. After setting up a local server, this file can be accessed, and a DOMDocument or SimpleXML request can be made to retrieve the redirected resource. The response will be incorrectly parsed, demonstrating the vulnerability.

Remediation

Users should upgrade to PHP versions 8.1.32, 8.2.28, 8.3.19, or 8.4.5.