Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:13256
Return-Path: <cschneid@cschneid.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 94481 invoked by uid 1010); 11 Oct 2004 10:00:02 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 94255 invoked by uid 1007); 11 Oct 2004 10:00:01 -0000
Message-ID: <20041011100001.94254.qmail@pb1.pair.com>
To: internals@lists.php.net
Date: Mon, 11 Oct 2004 11:59:48 +0200
User-Agent: Mozilla Thunderbird 0.8 (X11/20040913)
X-Accept-Language: en-us, en
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Posted-By: 195.226.9.103
Subject: HTTP Response Splitting
From: cschneid@cschneid.com (Christian Schneider)

I looked through the bug database and the archive of this mailing list 
but couldn't find any reference to HTTP Response Splitting. I apoligize 
if this has been discussed before :-)

Basically it means that web applications return unfiltered user-supplied 
data in the HTTP header, most commonly when doing a redirect a la
header("Location: $location");

See http://www.sanctuminc.com/pdf/Whitepaper_HTTPResponse.pdf for more 
information.

Should we disallow, i.e. strip CRs and LFs from the string passed to 
header() to fix the most common vulnerability in current applications? 
Another idea would be to give a warning and discard the header but I 
think I prefer silently stripping the characters.

Are there anything we break by doing that apart from removing the 
possibility to send multiple headers with one header() call which wasn't 
officially supported anyway if I'm not mistaken?

Any comments?
- Chris