php.lang.security.non-literal-header.non-literal-header

profile photo of returntocorpreturntocorp
Author
unknown
Download Count*
LGPL Commons Clause
License

Using user input when setting headers with header() is potentially dangerous. This could allow an attacker to inject a new line and add a new header into the response. This is called HTTP response splitting. To fix, do not allow whitespace inside header(): '[^\s]+'.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: non-literal-header
    patterns:
      - pattern: header(...)
      - pattern-not: header("...",...)
    message: "Using user input when setting headers with `header()` is potentially
      dangerous. This could allow an attacker to inject a new line and add a new
      header into the response. This is called HTTP response splitting. To fix,
      do not allow whitespace inside `header()`: '[^\\s]+'."
    metadata:
      references:
        - https://www.php.net/manual/ru/function.header.php
        - https://owasp.org/www-community/attacks/HTTP_Response_Splitting
      category: security
      technology:
        - php
      cwe:
        - "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers
          ('HTTP Request/Response Splitting')"
      owasp:
        - A03:2021 - Injection
      subcategory:
        - audit
      likelihood: LOW
      impact: LOW
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - php
    severity: WARNING

Examples

non-literal-header.php

<?php

$data = $_GET["data"];
// ruleid: non-literal-header
header("Some-Header: $data");

$data = $_GET["data"];
// ruleid: non-literal-header
header("Some-Header: ".$data);

// ok: non-literal-header
header("Some-Header: value");