Sascha Schumann wrote:
    response header.  There are also some SAPI modules which
    specifically expect exactly one header per call.  As such,
    stripping off \n.* seems correct to me.

The HTTP standard allows header field folding (CR/LF followed by at least one whitespace on the next line), i.e.:
X-Some-Header: key1=value1;<CR><LF>
key2=value2;
is the same as
X-Some-Header: key1=value1; key2=value2;
and that's why my patch just replaces the CRs/LFs to spaces to unfold the lines again. This won't break folded lines but will still defang malicious header splitting.


- Chris

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php



Reply via email to