About Kiyoto's patch:
Some servers would read as new headers if the newlines were just \n or \r
(which would be illegal per HTTP spec). I think the characters to ban
are: \n \r \0
Just replace your call to zend_trim_after_carriage_return with:
+ strtok(new_value, "\r\n"); // Truncate on \n, \r
Thanks for elaborating on the "BC break" (I googled it to no avail). I guess
such a change (discarding everything after CR-LF) would break the code using BC
breaks.
Either way, at least I am fully aware of how ini_set behaves ;)
On Jan 25, 2012, at 9:25 PM, Chris Stockton wrote:
> Hello,
>
>
Hello,
On Wed, Jan 25, 2012 at 9:32 PM, Kiyoto Tamura wrote:
> Also, I am not sure if php_trim is what we want here. It looks like vrana's
> initial proposal was to discard everything after CR-LF. This is different
> from trimming CR/LF/whitespace at the end of the string.
>
Ah I see didn't th
Also, I am not sure if php_trim is what we want here. It looks like vrana's
initial proposal was to discard everything after CR-LF. This is different from
trimming CR/LF/whitespace at the end of the string.
I suppose that's a less important issue. I am mainly curious about your opinion
as to wh
Thanks for the pointers. While I agree with you that application developers
must be cognizant of input sanitization, I am not sure what's the value of
allowing CR-LF in the user agent value. Said another way, if the user agent
contains CR-LF, it was most definitely not meant to be there. Can you
Hello,
On Wed, Jan 25, 2012 at 5:43 PM, Kiyoto Tamura wrote:
> vrana has raise a good point in a potentially dangerous behavior with
> ini_set() in https://bugs.php.net/bug.php?id=60668.
>
> Here is my proposed patch. Feedback is appreciated. Thanks!
>
> Kiyoto Tamura
>
> diff --git a/Zend/zend_
vrana has raise a good point in a potentially dangerous behavior with ini_set()
in https://bugs.php.net/bug.php?id=60668.
Here is my proposed patch. Feedback is appreciated. Thanks!
Kiyoto Tamura
diff --git a/Zend/zend_ini.c b/Zend/zend_ini.c
index a7ec5d7..89b1287 100644
--- a/Zend/zend_ini.c
