I looked through the bug database and the archive of this mailing list but couldn't find any reference to HTTP Response Splitting. I apoligize if this has been discussed before :-)

Basically it means that web applications return unfiltered user-supplied data in the HTTP header, most commonly when doing a redirect a la
header("Location: $location");


See http://www.sanctuminc.com/pdf/Whitepaper_HTTPResponse.pdf for more information.

Should we disallow, i.e. strip CRs and LFs from the string passed to header() to fix the most common vulnerability in current applications? Another idea would be to give a warning and discard the header but I think I prefer silently stripping the characters.

Are there anything we break by doing that apart from removing the possibility to send multiple headers with one header() call which wasn't officially supported anyway if I'm not mistaken?

Any comments?
- Chris

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php



Reply via email to