Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:57657
Return-Path: <glopes@nebm.ist.utl.pt>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 27434 invoked from network); 3 Feb 2012 12:03:31 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 3 Feb 2012 12:03:31 -0000
Authentication-Results: pb1.pair.com smtp.mail=glopes@nebm.ist.utl.pt; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=glopes@nebm.ist.utl.pt; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain nebm.ist.utl.pt from 193.136.128.22 cause and error)
X-PHP-List-Original-Sender: glopes@nebm.ist.utl.pt
X-Host-Fingerprint: 193.136.128.22 smtp2.ist.utl.pt Linux 2.6
Received: from [193.136.128.22] ([193.136.128.22:51498] helo=smtp2.ist.utl.pt)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id ED/91-11798-11DCB2F4 for <internals@lists.php.net>; Fri, 03 Feb 2012 07:03:30 -0500
Received: from localhost (localhost.localdomain [127.0.0.1])
	by smtp2.ist.utl.pt (Postfix) with ESMTP id CE06570004A3;
	Fri,  3 Feb 2012 12:03:26 +0000 (WET)
X-Virus-Scanned: by amavisd-new-2.6.4 (20090625) (Debian) at ist.utl.pt
Received: from smtp2.ist.utl.pt ([127.0.0.1])
	by localhost (smtp2.ist.utl.pt [127.0.0.1]) (amavisd-new, port 10025)
	with LMTP id eC9TFiaBOUd6; Fri,  3 Feb 2012 12:03:26 +0000 (WET)
Received: from mail2.ist.utl.pt (mail.ist.utl.pt [IPv6:2001:690:2100:1::8])
	by smtp2.ist.utl.pt (Postfix) with ESMTP id 5A18770003DA;
	Fri,  3 Feb 2012 12:03:26 +0000 (WET)
Received: from slws007.slhq.int (a79-168-248-114.cpe.netcabo.pt [79.168.248.114])
	(Authenticated sender: ist155741)
	by mail2.ist.utl.pt (Postfix) with ESMTPSA id D22172022576;
	Fri,  3 Feb 2012 12:03:25 +0000 (WET)
Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes
To: "internals PHP" <internals@lists.php.net>, "Stefan Esser"
 <stefan.esser@sektioneins.de>
References: <D5EC076D-8518-4CDC-913F-5A3F3BB97367@sektioneins.de>
Date: Fri, 03 Feb 2012 13:03:24 +0100
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Organization: =?utf-8?Q?N=C3=BAcleo_de_Eng=2E_Biom=C3=A9di?=
 =?utf-8?Q?ca_do_I=2ES=2ET=2E?=
Message-ID: <op.v83qfyebidpuyk@slws007.slhq.int>
In-Reply-To: <D5EC076D-8518-4CDC-913F-5A3F3BB97367@sektioneins.de>
User-Agent: Opera Mail/11.61 (Win32)
Subject: Re: [PHP-DEV] The case of HTTP response splitting protection in PHP
From: glopes@nebm.ist.utl.pt ("Gustavo Lopes")

On Fri, 03 Feb 2012 12:06:26 +0100, Stefan Esser  
<stefan.esser@sektioneins.de> wrote:

> [snip]
> obviously inside PHP no one cares about reviewing security patches.
>

Perhaps then you'd want to comment on:  
http://nebm.ist.utl.pt/~glopes/misc/bug60227.diff , which addresses the  
NUL byte issue, although now I'm thinking that since we're in the business  
of validating HTTP headers, we could also forbid the other control  
characters that are forbidden by the spec (not just LF and CR).

Thank you

-- 
Gustavo Lopes