Considering the sapi code where each header() call lands, the
    code assumes that the buffer contains exactly one HTTP
    response header.  There are also some SAPI modules which
    specifically expect exactly one header per call.  As such,
    stripping off \n.* seems correct to me.

    - Sascha

On Mon, 11 Oct 2004, Christian Schneider wrote:

I looked through the bug database and the archive of this mailing list but couldn't find any reference to HTTP Response Splitting. I apoligize if this has been discussed before :-)

Basically it means that web applications return unfiltered user-supplied data in the HTTP header, most commonly when doing a redirect a la
header("Location: $location");


See http://www.sanctuminc.com/pdf/Whitepaper_HTTPResponse.pdf for more information.

Should we disallow, i.e. strip CRs and LFs from the string passed to header() to fix the most common vulnerability in current applications? Another idea would be to give a warning and discard the header but I think I prefer silently stripping the characters.

Are there anything we break by doing that apart from removing the possibility to send multiple headers with one header() call which wasn't officially supported anyway if I'm not mistaken?

Any comments?
- Chris

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php



-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php



Reply via email to