Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:17978
Return-Path: <ilia@prohost.org>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 99677 invoked by uid 1010); 13 Aug 2005 16:08:54 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 99662 invoked from network); 13 Aug 2005 16:08:54 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 13 Aug 2005 16:08:54 -0000
X-Host-Fingerprint: 70.85.46.36 unknown  
Received: from ([70.85.46.36:43054] helo=prohost.org)
	by pb1.pair.com (ecelerity 2.0 beta r(6323M)) with SMTP
	id AB/99-33075-41B1EF24 for <internals@lists.php.net>; Sat, 13 Aug 2005 12:08:52 -0400
Received: (qmail 23769 invoked from network); 13 Aug 2005 16:08:50 -0000
Received: from cpe00095beeab35-cm000f9f7d6664.cpe.net.cable.rogers.com (HELO ?192.168.1.101?) (69.196.31.219)
	by prohost.org with SMTP; 13 Aug 2005 16:08:50 -0000
Message-ID: <42FE1B11.5010103@prohost.org>
Date: Sat, 13 Aug 2005 12:08:49 -0400
User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Stefan Esser <sesser@php.net>
CC: Christian Schneider <cschneid@cschneid.com>, 
	Rasmus Lerdorf <rasmus@lerdorf.com>,
	internals <internals@lists.php.net>
References: <42FCE0E4.604@lerdorf.com> <42FDDF11.2050308@cschneid.com> <42FDE0D8.1040802@php.net>
In-Reply-To: <42FDE0D8.1040802@php.net>
X-Enigmail-Version: 0.92.0.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Re: PHP 6.0 Wishlist
From: ilia@prohost.org (Ilia Alshanetsky)

How about we do this:
Add a 3rd optional param to header(), if it is unset we remove
everything from a header that contains \r\n or \n after those chars.
However if the developer feels the need to send multiple headers or what
not they can pass 3rd arg as TRUE and "restore" the functionality.

Ilia

Stefan Esser wrote:
> Hello,
> 
>>
>> Minor:
>> 11. HTTP response splitting attack protection: Replace \r and \n with
>> space in header();
>>
>> Information and patches implementing this can be found at
>> http://cschneid.com/php/
> 
> 
> Your patches are problematic when a proxy kills overlong header lines
> that were not split up by the client onto multiple lines. Therefore \r\n
> followed by whitespace should not be replaced with spaces..Otherwise
> this could destroy legit functionality.
> 
> A similiar patch for this is in Hardening-Patch above 0.3.x
> 
> Ohh and btw: this is not a minor point, because it completely kills the
> whole attack class for PHP applications with 3-5 lines of code.
> 
> Stefan Esser
>