How about we do this: Add a 3rd optional param to header(), if it is unset we remove everything from a header that contains \r\n or \n after those chars. However if the developer feels the need to send multiple headers or what not they can pass 3rd arg as TRUE and "restore" the functionality.
Ilia Stefan Esser wrote: > Hello, > >> >> Minor: >> 11. HTTP response splitting attack protection: Replace \r and \n with >> space in header(); >> >> Information and patches implementing this can be found at >> http://cschneid.com/php/ > > > Your patches are problematic when a proxy kills overlong header lines > that were not split up by the client onto multiple lines. Therefore \r\n > followed by whitespace should not be replaced with spaces..Otherwise > this could destroy legit functionality. > > A similiar patch for this is in Hardening-Patch above 0.3.x > > Ohh and btw: this is not a minor point, because it completely kills the > whole attack class for PHP applications with 3-5 lines of code. > > Stefan Esser > -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
