Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:57668 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 26722 invoked from network); 3 Feb 2012 22:00:15 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 3 Feb 2012 22:00:15 -0000 Authentication-Results: pb1.pair.com header.from=smalyshev@sugarcrm.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=smalyshev@sugarcrm.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain sugarcrm.com designates 67.192.241.113 as permitted sender) X-PHP-List-Original-Sender: smalyshev@sugarcrm.com X-Host-Fingerprint: 67.192.241.113 smtp113.dfw.emailsrvr.com Linux 2.6 Received: from [67.192.241.113] ([67.192.241.113:35928] helo=smtp113.dfw.emailsrvr.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 73/92-08838-EE85C2F4 for ; Fri, 03 Feb 2012 17:00:14 -0500 Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp11.relay.dfw1a.emailsrvr.com (SMTP Server) with ESMTP id E4777D1148; Fri, 3 Feb 2012 17:00:11 -0500 (EST) X-Virus-Scanned: OK Received: by smtp11.relay.dfw1a.emailsrvr.com (Authenticated sender: smalyshev-AT-sugarcrm.com) with ESMTPSA id 9FA75D0F18; Fri, 3 Feb 2012 17:00:11 -0500 (EST) Message-ID: <4F2C58EB.6000907@sugarcrm.com> Date: Fri, 03 Feb 2012 14:00:11 -0800 Organization: SugarCRM User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0) Gecko/20111222 Thunderbird/9.0.1 MIME-Version: 1.0 To: =?UTF-8?B?w4FuZ2VsIEdvbnrDoWxleg==?= CC: Gustavo Lopes , "internals@lists.php.net" References: <4F2C4743.8070609@gmail.com> In-Reply-To: <4F2C4743.8070609@gmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] The case of HTTP response splitting protection in PHP From: smalyshev@sugarcrm.com (Stas Malyshev) Hi! > As it's a security patch and of small scope, I would consider it for > 5.4. Stas, David? Do we have unit tests for this code? The fix involves changes in header sending so it may have impact on lots of code. Changes like this can be dangerous. I'm thinking maybe we should wait with it until 5.4.1. -- Stanislav Malyshev, Software Architect SugarCRM: http://www.sugarcrm.com/ (408)454-6900 ext. 227