Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:17953 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 25055 invoked by uid 1010); 13 Aug 2005 12:00:58 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 25039 invoked from network); 13 Aug 2005 12:00:58 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 13 Aug 2005 12:00:58 -0000 X-Host-Fingerprint: 81.169.145.166 natnoddy.rzone.de Solaris 8 (1) Received: from ([81.169.145.166:43665] helo=natnoddy.rzone.de) by pb1.pair.com (ecelerity 2.0 beta r(6323M)) with SMTP id E2/02-33075-7F0EDF24 for ; Sat, 13 Aug 2005 08:00:56 -0400 Received: from [192.168.1.77] (p50875A09.dip.t-dialin.net [80.135.90.9]) by post.webmailer.de (8.13.1/8.13.1) with ESMTP id j7DC0X48019187; Sat, 13 Aug 2005 14:00:41 +0200 (MEST) Message-ID: <42FDE0D8.1040802@php.net> Date: Sat, 13 Aug 2005 14:00:24 +0200 User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Christian Schneider CC: Rasmus Lerdorf , internals References: <42FCE0E4.604@lerdorf.com> <42FDDF11.2050308@cschneid.com> In-Reply-To: <42FDDF11.2050308@cschneid.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Re: PHP 6.0 Wishlist From: sesser@php.net (Stefan Esser) Hello, > > Minor: > 11. HTTP response splitting attack protection: Replace \r and \n with > space in header(); > > Information and patches implementing this can be found at > http://cschneid.com/php/ Your patches are problematic when a proxy kills overlong header lines that were not split up by the client onto multiple lines. Therefore \r\n followed by whitespace should not be replaced with spaces..Otherwise this could destroy legit functionality. A similiar patch for this is in Hardening-Patch above 0.3.x Ohh and btw: this is not a minor point, because it completely kills the whole attack class for PHP applications with 3-5 lines of code. Stefan Esser -- -------------------------------------------------------------------------- Stefan Esser sesser@php.net Hardened-PHP Project http://www.hardened-php.net/ GPG-Key gpg --keyserver pgp.mit.edu --recv-key 0x15ABDA78 Key fingerprint 7806 58C8 CFA8 CE4A 1C2C 57DD 4AE1 795E 15AB DA78 --------------------------------------------------------------------------