On Tue, 12 Oct 2004, Sascha Schumann wrote:
> On Mon, 11 Oct 2004, Andi Gutmans wrote:
>
> > I think you are right. The only problem I can see is that people added more
> > than one header with a header() call and it actually having worked under some
> > SAPIs. My guess is that this has happened q
On Mon, 11 Oct 2004, Andi Gutmans wrote:
> I think you are right. The only problem I can see is that people added more
> than one header with a header() call and it actually having worked under some
> SAPIs. My guess is that this has happened quite often and it might break quite
> a few apps.
I'm fairly sure this topic came up on the list a little while back.
Would you mind searching the archives to see what the outcome was?
I think we ended up deciding to keep the current behaviour for BC reasons.
---Wez.
On Tue, 12 Oct 2004 01:32:21 +0200, Christian Schneider
<[EMAIL PROTECTED]> wro
Andi Gutmans wrote:
No I don't know of any application which uses it. You might be right.
If you people think we should introduce it then I'd do it for 5.1.x
and as you said, definitely have an RC before release.
And as I mentioned to Andi in another email the change would also
increase consisten
FYI. Forgot to cc: [EMAIL PROTECTED]
Date: Mon, 11 Oct 2004 15:56:17 -0700
To: Christian Schneider <[EMAIL PROTECTED]>
From: Andi Gutmans <[EMAIL PROTECTED]>
Subject: Re: [PHP-DEV] HTTP Response Splitting
At 12:46 AM 10/12/2004 +0200, Christian Schneider wrote:
Andi Gutmans wrote:
unde
I think you are right. The only problem I can see is that people added more
than one header with a header() call and it actually having worked under
some SAPIs. My guess is that this has happened quite often and it might
break quite a few apps.
Andi
At 07:36 PM 10/11/2004 +0200, Sascha Schumann
Sascha Schumann wrote:
response header. There are also some SAPI modules which
specifically expect exactly one header per call. As such,
stripping off \n.* seems correct to me.
The HTTP standard allows header field folding (CR/LF followed by at
least one whitespace on the next line)
Considering the sapi code where each header() call lands, the
code assumes that the buffer contains exactly one HTTP
response header. There are also some SAPI modules which
specifically expect exactly one header per call. As such,
stripping off \n.* seems correct to me.
-
Derick Rethans wrote:
This is the users' problem, not ours.
Sounds too much like MS to me :-)
I wrote a little patch for PHP4 which I'll deploy on our servers.
In case anyone is interested, have a look at:
http://cschneid.com/php/php4/http_reponse_splitting.patch
- Chris
--
PHP Internals - PHP Runt
On Mon, 11 Oct 2004, Christian Schneider wrote:
> I looked through the bug database and the archive of this mailing list
> but couldn't find any reference to HTTP Response Splitting. I apoligize
> if this has been discussed before :-)
>
> Basically it means that web applications return unfiltered
I looked through the bug database and the archive of this mailing list
but couldn't find any reference to HTTP Response Splitting. I apoligize
if this has been discussed before :-)
Basically it means that web applications return unfiltered user-supplied
data in the HTTP header, most commonly wh
11 matches
Mail list logo
