On 03/02/12 15:01, Gustavo Lopes wrote: > I've committed a different version that also forbids \0 (since, as > Stefan says, a NUL byte can result in the truncation of the rest of > the header) and that accepts a CRLF: > > http://svn.php.net/viewvc/php/php-src/trunk/main/SAPI.c?r1=323043&r2=323042&pathrev=323043 >
Looks good. But given that the goal is to make this robust, I would go further: a) Replace any CRLF + [ \r] with SP (rfc2616 allows us "A recipient MAY replace any linear white space with a single SP before forwarding the message downstream.", and this also protects UAs not following the spec) b) Bail out on any header_line[i] < ' ' (ie. fail on any special char) > If you or anyone else find any problem, please report a bug; otherwise > I'll merge to 5.3 and 5.4 once 5.4 is out of code freeze. > > Thanks As it's a security patch and of small scope, I would consider it for 5.4. Stas, David? -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
