response header. There are also some SAPI modules which specifically expect exactly one header per call. As such, stripping off \n.* seems correct to me.
The HTTP standard allows header field folding (CR/LF followed by at least one whitespace on the next line), i.e.:
X-Some-Header: key1=value1;<CR><LF>
key2=value2;
is the same as
X-Some-Header: key1=value1; key2=value2;
and that's why my patch just replaces the CRs/LFs to spaces to unfold the lines again. This won't break folded lines but will still defang malicious header splitting.
- Chris
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php