Considering the sapi code where each header() call lands, the
code assumes that the buffer contains exactly one HTTP
response header. There are also some SAPI modules which
specifically expect exactly one header per call. As such,
stripping off \n.* seems correct to me.
- Sascha
On Mon, 11 Oct 2004, Christian Schneider wrote:
I looked through the bug database and the archive of this mailing list but
couldn't find any reference to HTTP Response Splitting. I apoligize if this
has been discussed before :-)
Basically it means that web applications return unfiltered user-supplied data
in the HTTP header, most commonly when doing a redirect a la
header("Location: $location");
See http://www.sanctuminc.com/pdf/Whitepaper_HTTPResponse.pdf for more
information.
Should we disallow, i.e. strip CRs and LFs from the string passed to header()
to fix the most common vulnerability in current applications? Another idea
would be to give a warning and discard the header but I think I prefer
silently stripping the characters.
Are there anything we break by doing that apart from removing the possibility
to send multiple headers with one header() call which wasn't officially
supported anyway if I'm not mistaken?
Any comments?
- Chris
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
