Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:13257 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 83288 invoked by uid 1010); 11 Oct 2004 11:04:52 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 83215 invoked from network); 11 Oct 2004 11:04:51 -0000 Received: from unknown (HELO jdi.jdimedia.nl) (212.204.192.51) by pb1.pair.com with SMTP; 11 Oct 2004 11:04:51 -0000 Received: from localhost (localhost [127.0.0.1]) by jdi.jdimedia.nl (8.12.11/8.12.11) with ESMTP id i9BB4pEw018375 for ; Mon, 11 Oct 2004 13:04:51 +0200 Received: from localhost (localhost [127.0.0.1]) by jdi.jdimedia.nl (8.12.11/8.12.11) with ESMTP id i9BB4kjN018330; Mon, 11 Oct 2004 13:04:46 +0200 Date: Mon, 11 Oct 2004 13:04:46 +0200 (CEST) X-X-Sender: derick@localhost To: Christian Schneider cc: internals@lists.php.net In-Reply-To: <20041011100001.94254.qmail@pb1.pair.com> Message-ID: References: <20041011100001.94254.qmail@pb1.pair.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by amavisd-new at jdimedia.nl Subject: Re: [PHP-DEV] HTTP Response Splitting From: derick@php.net (Derick Rethans) On Mon, 11 Oct 2004, Christian Schneider wrote: > I looked through the bug database and the archive of this mailing list > but couldn't find any reference to HTTP Response Splitting. I apoligize > if this has been discussed before :-) > > Basically it means that web applications return unfiltered user-supplied > data in the HTTP header, most commonly when doing a redirect a la > header("Location: $location"); This is the users' problem, not ours. > Any comments? Don't fix things that aren't broken. You always need to check user supplied information. Derick -- Derick Rethans http://derickrethans.nl | http://ez.no | http://xdebug.org