About Kiyoto's patch: Some servers would read as new headers if the newlines were just \n or \r(which would be illegal per HTTP spec). I think the characters to ban are: \n \r \0
Just replace your call to zend_trim_after_carriage_return with: + strtok(new_value, "\r\n"); // Truncate on \n, \r and \0 + new_value_length = strlen(new_value); Chris Stockton wrote:
As for the "feature" of \r\n working in user-agent init set, my main point is that is a BC break, since it is slightly advocated to use it as a hack in the docs here [1].
Adding a new header by inserting it with user_agent is a really buggy hack.It should be documented as "in php < 5.4 it used to be possible to add a new
header modifying the ini user-agent. On newer versions you need to use
stream_context_set_params(, array('header' => $headers) )"
(plus a good example).
The proper stream_context_set_params way has apparently been available at
least since PHP 5.0. It's just hard to find.
Sure, but that's no reason to not improve it, specially if you do it on a majorAt the end of the day passing _any_ user input to literally any php function without sanitization can be dangerous given the right context.
release (eg. PHP 5.4).Even though it works, it should be obvious that it isn't expected to be used that way.
So there should be little problem with it going away, -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
