Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:57531 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 24818 invoked from network); 26 Jan 2012 20:23:24 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 26 Jan 2012 20:23:24 -0000 Authentication-Results: pb1.pair.com smtp.mail=keisial@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=keisial@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.54 as permitted sender) X-PHP-List-Original-Sender: keisial@gmail.com X-Host-Fingerprint: 74.125.82.54 mail-ww0-f54.google.com Received: from [74.125.82.54] ([74.125.82.54:63555] helo=mail-ww0-f54.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 18/B0-19007-B36B12F4 for ; Thu, 26 Jan 2012 15:23:24 -0500 Received: by wgbds10 with SMTP id ds10so986627wgb.11 for ; Thu, 26 Jan 2012 12:23:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=vqsyjqbXyobLP0V8iFbo549GYyDquYfVmgBHxoPQBCA=; b=w2c+zHKjWGWHJfwzQsXTB3xvYEiiJCBHzkTKxoMaMlxusABEAIx4E5HMQOXcDN7ovQ Iy6+TG1Kp6U5EaIPpafZcxSQ1DjFY0e5AiYrzJqxHcs9KbIQvZTTZRvGQCCHlGcJ7Xxi FjqZxNtiAyQbhFLjyzFDwknvD6IctVmFhh7Yo= Received: by 10.180.14.105 with SMTP id o9mr1105534wic.11.1327609401220; Thu, 26 Jan 2012 12:23:21 -0800 (PST) Received: from [192.168.1.26] (12.Red-83-42-240.dynamicIP.rima-tde.net. [83.42.240.12]) by mx.google.com with ESMTPS id q7sm7288834wix.5.2012.01.26.12.23.18 (version=SSLv3 cipher=OTHER); Thu, 26 Jan 2012 12:23:19 -0800 (PST) Message-ID: <4F21B74A.7040104@gmail.com> Date: Thu, 26 Jan 2012 21:27:54 +0100 User-Agent: Thunderbird MIME-Version: 1.0 To: Chris Stockton CC: Kiyoto Tamura , internals@lists.php.net References: <38EE3732-F134-4C02-8F93-2E9C61FD1E81@ktamura.com> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] A potential patch for Bug#60668 From: keisial@gmail.com (=?ISO-8859-1?Q?=C1ngel_Gonz=E1lez?=) About Kiyoto's patch: Some servers would read as new headers if the newlines were just \n or \r (which would be illegal per HTTP spec). I think the characters to ban are: \n \r \0 Just replace your call to zend_trim_after_carriage_return with: + strtok(new_value, "\r\n"); // Truncate on \n, \r and \0 + new_value_length = strlen(new_value); Chris Stockton wrote: > As for the "feature" of \r\n working in user-agent init set, my main > point is that is a BC break, since it is slightly advocated to use it > as a hack in the docs here [1]. Adding a new header by inserting it with user_agent is a really buggy hack. It should be documented as "in php < 5.4 it used to be possible to add a new header modifying the ini user-agent. On newer versions you need to use stream_context_set_params(, array('header' => $headers) )" (plus a good example). The proper stream_context_set_params way has apparently been available at least since PHP 5.0. It's just hard to find. > At the end of the day passing _any_ > user input to literally any php function without sanitization can be > dangerous given the right context. Sure, but that's no reason to not improve it, specially if you do it on a major release (eg. PHP 5.4). Even though it works, it should be obvious that it isn't expected to be used that way. So there should be little problem with it going away,