5
<?php
setcookie('test', "test\r\n<script>alert(1)</script>");
echo 1;

But it turns out PHP automatically does the encoding:

Set-Cookie: test=test%0D%0A%3Cscript%3Ealert%281%29%3C%2Fscript%3E

Does that mean it's impossible to reproduce HTTP response splitting in PHP?

Charles
  • 50,943
  • 13
  • 104
  • 142
cpuer
  • 7,413
  • 14
  • 35
  • 39
  • Even dated php versions filter all header and setcookie calls. And why don't you just output the script tag with echo instead? – mario Jun 09 '11 at 03:16
  • @mario ,please go over the link I provided above. – cpuer Jun 09 '11 at 03:18
  • So what about it? It doesn't explain the purpose of *your* question. Else the answer is simply: yes, not reproducible in current php versions. The wikipedia article devotes a whole paragraph on explaining exactly that. – mario Jun 09 '11 at 03:22
  • @mario ,the whole thing of http response splitting is done in the **header**,while `echo` only outputs stuff in the **body** – cpuer Jun 09 '11 at 03:24
  • So if you really need that capability, just downgrade to PHP 5.1.1 or before. – mario Jun 09 '11 at 03:28
  • 1
    If might be possible by messing with the string encoding. (i.e. UTF-7 and UTF-8 mixing) – Petah Jun 09 '11 at 04:37

1 Answers1

9

From the linked Wikipedia article:

[...] Although response splitting is not specific to PHP, the PHP interpreter contains protection against the attack since version 4.4.2 and 5.1.2. [1]

header and setcookie contain mitigations against response/header splitting. It's not possible.

mario
  • 144,265
  • 20
  • 237
  • 291
  • Is it possible to disable the protection? – Aaron Esau Dec 24 '16 at 07:29
  • @mario how do you know setcookie is immune? I am not able to find any references on setcookie and response splitting – charlieb Jul 17 '19 at 15:05
  • 1
    @charlieb Just forwards its constructions to header() basically: https://github.com/php/php-src/blob/37cd86080f716e5187cae2f2547d7d5deedb9839/ext/standard/head.c#L79 – mario Jul 17 '19 at 17:07