Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:13263
Return-Path: <andi@zend.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 45832 invoked by uid 1010); 11 Oct 2004 22:35:38 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 45736 invoked from network); 11 Oct 2004 22:35:37 -0000
Received: from unknown (HELO mail.zend.com) (80.74.107.235)
  by pb1.pair.com with SMTP; 11 Oct 2004 22:35:37 -0000
Received: (qmail 27903 invoked from network); 11 Oct 2004 22:35:35 -0000
Received: from localhost (HELO AndiNotebook.zend.com) (127.0.0.1)
  by localhost with SMTP; 11 Oct 2004 22:35:35 -0000
Message-ID: <5.1.0.14.2.20041011152226.043e7ec0@localhost>
X-Sender: andi@localhost
X-Mailer: QUALCOMM Windows Eudora Version 5.1
Date: Mon, 11 Oct 2004 15:35:32 -0700
To: Sascha Schumann <sascha@schumann.cx>,
 Christian Schneider <cschneid@cschneid.com>
Cc: internals@lists.php.net
In-Reply-To: <Pine.LNX.4.61.0410111934010.11564@chatserv>
References: <20041011100001.94254.qmail@pb1.pair.com>
 <20041011100001.94254.qmail@pb1.pair.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Subject: Re: [PHP-DEV] HTTP Response Splitting
From: andi@zend.com (Andi Gutmans)

I think you are right. The only problem I can see is that people added more 
than one header with a header() call and it actually having worked under 
some SAPIs. My guess is that this has happened quite often and it might 
break quite a few apps.

Andi

At 07:36 PM 10/11/2004 +0200, Sascha Schumann wrote:
>     Considering the sapi code where each header() call lands, the
>     code assumes that the buffer contains exactly one HTTP
>     response header.  There are also some SAPI modules which
>     specifically expect exactly one header per call.  As such,
>     stripping off \n.* seems correct to me.
>
>     - Sascha
>
>On Mon, 11 Oct 2004, Christian Schneider wrote:
>
>>I looked through the bug database and the archive of this mailing list 
>>but couldn't find any reference to HTTP Response Splitting. I apoligize 
>>if this has been discussed before :-)
>>
>>Basically it means that web applications return unfiltered user-supplied 
>>data in the HTTP header, most commonly when doing a redirect a la
>>header("Location: $location");
>>
>>See http://www.sanctuminc.com/pdf/Whitepaper_HTTPResponse.pdf for more 
>>information.
>>
>>Should we disallow, i.e. strip CRs and LFs from the string passed to 
>>header() to fix the most common vulnerability in current applications? 
>>Another idea would be to give a warning and discard the header but I 
>>think I prefer silently stripping the characters.
>>
>>Are there anything we break by doing that apart from removing the 
>>possibility to send multiple headers with one header() call which wasn't 
>>officially supported anyway if I'm not mistaken?
>>
>>Any comments?
>>- Chris
>>
>>--
>>PHP Internals - PHP Runtime Development Mailing List
>>To unsubscribe, visit: http://www.php.net/unsub.php
>>
>
>--
>PHP Internals - PHP Runtime Development Mailing List
>To unsubscribe, visit: http://www.php.net/unsub.php