Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:13267
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Message-ID: <5.1.0.14.2.20041011160719.040d66e0@localhost>
Date: Mon, 11 Oct 2004 16:07:37 -0700
To: internals@lists.php.net
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Subject: Fwd: Re: [PHP-DEV] HTTP Response Splitting
From: andi@zend.com (Andi Gutmans)

FYI. Forgot to cc: internals@.

>Date: Mon, 11 Oct 2004 15:56:17 -0700
>To: Christian Schneider <cschneid@cschneid.com>
>From: Andi Gutmans <andi@zend.com>
>Subject: Re: [PHP-DEV] HTTP Response Splitting
>
>At 12:46 AM 10/12/2004 +0200, Christian Schneider wrote:
>>Andi Gutmans wrote:
>>>under some SAPIs. My guess is that this has happened quite often and it 
>>>might break quite a few apps.
>>
>>My guess would have been the opposite: That this is very rare as you 
>>specifically had to do \r\n (\n alone or \n\r or anything like that 
>>wouldn't work) and the examples in the documentation show multiple 
>>header() calls to set multiple headers and no indication is made that 
>>multiple headers can be sent. Quite the opposite.
>>
>>Do you know of any application which still uses it? I'd be willing to 
>>take the risk. Would be a good example where a release candidate could be 
>>useful to warn people about possible problems and revert to the old 
>>behaviour if people complain IMHO.
>
>No I don't know of any application which uses it. You might be right.
>If you people think we should introduce it then I'd do it for 5.1.x and as 
>you said, definitely have an RC before release.
>
>Andi