Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:57671
Return-Path: <keisial@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 33589 invoked from network); 3 Feb 2012 22:41:56 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 3 Feb 2012 22:41:56 -0000
Authentication-Results: pb1.pair.com header.from=keisial@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=keisial@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.54 as permitted sender)
X-PHP-List-Original-Sender: keisial@gmail.com
X-Host-Fingerprint: 74.125.82.54 mail-ww0-f54.google.com  
Received: from [74.125.82.54] ([74.125.82.54:62534] helo=mail-ww0-f54.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 37/A3-08838-2B26C2F4 for <internals@lists.php.net>; Fri, 03 Feb 2012 17:41:55 -0500
Received: by wgbdq12 with SMTP id dq12so4146248wgb.11
        for <internals@lists.php.net>; Fri, 03 Feb 2012 14:41:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=message-id:date:from:user-agent:mime-version:to:cc:subject
         :references:in-reply-to:content-type:content-transfer-encoding;
        bh=eYWlM1pKl3XtI4FDwXB936svLKMM7mtzZw+tRlPPEG8=;
        b=rWevXlYz17Mw7WINaAwZNJM57N7UqhMmfLh/3IBl/JUPDiDA3Xv4jAllWw2dUTBquQ
         +XOOXvChhzTUg2RMj9z9YYNZ4GOV8Dtf1Ifh1gvQ+mVSzp2sWr/kIbI4VZyBjX+46kyl
         L3oeJOSoLDwnwrSZ7HmOm0wTB+kZfSwdc/h0k=
Received: by 10.180.14.129 with SMTP id p1mr14460804wic.16.1328308911537;
        Fri, 03 Feb 2012 14:41:51 -0800 (PST)
Received: from [192.168.1.26] (210.Red-83-52-184.dynamicIP.rima-tde.net. [83.52.184.210])
        by mx.google.com with ESMTPS id dw7sm9536770wib.4.2012.02.03.14.41.47
        (version=SSLv3 cipher=OTHER);
        Fri, 03 Feb 2012 14:41:50 -0800 (PST)
Message-ID: <4F2C63C5.5060705@gmail.com>
Date: Fri, 03 Feb 2012 23:46:29 +0100
User-Agent: Thunderbird
MIME-Version: 1.0
To: Stas Malyshev <smalyshev@sugarcrm.com>
CC: Gustavo Lopes <glopes@nebm.ist.utl.pt>, 
 "internals@lists.php.net" <internals@lists.php.net>
References: <D5EC076D-8518-4CDC-913F-5A3F3BB97367@sektioneins.de> <op.v83qfyebidpuyk@slws007.slhq.int> <op.v83vw0bcidpuyk@slws007.slhq.int> <4F2C4743.8070609@gmail.com> <4F2C58EB.6000907@sugarcrm.com>
In-Reply-To: <4F2C58EB.6000907@sugarcrm.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] The case of HTTP response splitting protection in PHP
From: keisial@gmail.com (=?UTF-8?B?w4FuZ2VsIEdvbnrDoWxleg==?=)

On 03/02/12 23:00, Stas Malyshev wrote:
> Hi!
>
>> As it's a security patch and of small scope, I would consider it for
>> 5.4. Stas, David?
>
> Do we have unit tests for this code? The fix involves changes in header 
> sending so it may have impact on lots of code. Changes like this can be 
> dangerous. I'm thinking maybe we should wait with it until 5.4.1.
PHP_5_4 already contains code banning \n or \r newlines. The one which
could be bypassed by the "\n Header: Foo\r Foo".
Gustavo patch is fixing it to do what was meant to do.
I think that any good application relying on header() to send multiple ones
would fail with the incomplete fix, so I see little difference in
compatibility
with using the full one.