Basically it means that web applications return unfiltered user-supplied data in the HTTP header, most commonly when doing a redirect a la
header("Location: $location");
See http://www.sanctuminc.com/pdf/Whitepaper_HTTPResponse.pdf for more information.
Should we disallow, i.e. strip CRs and LFs from the string passed to header() to fix the most common vulnerability in current applications? Another idea would be to give a warning and discard the header but I think I prefer silently stripping the characters.
Are there anything we break by doing that apart from removing the possibility to send multiple headers with one header() call which wasn't officially supported anyway if I'm not mistaken?
Any comments? - Chris
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
