Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:57697 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 20090 invoked from network); 4 Feb 2012 11:26:20 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 4 Feb 2012 11:26:20 -0000 Authentication-Results: pb1.pair.com smtp.mail=glopes@nebm.ist.utl.pt; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=glopes@nebm.ist.utl.pt; sender-id=unknown Received-SPF: error (pb1.pair.com: domain nebm.ist.utl.pt from 193.136.128.22 cause and error) X-PHP-List-Original-Sender: glopes@nebm.ist.utl.pt X-Host-Fingerprint: 193.136.128.22 smtp2.ist.utl.pt Linux 2.6 Received: from [193.136.128.22] ([193.136.128.22:46323] helo=smtp2.ist.utl.pt) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 0F/BD-08838-AD51D2F4 for ; Sat, 04 Feb 2012 06:26:19 -0500 Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp2.ist.utl.pt (Postfix) with ESMTP id D61607000488; Sat, 4 Feb 2012 11:26:14 +0000 (WET) X-Virus-Scanned: by amavisd-new-2.6.4 (20090625) (Debian) at ist.utl.pt Received: from smtp2.ist.utl.pt ([127.0.0.1]) by localhost (smtp2.ist.utl.pt [127.0.0.1]) (amavisd-new, port 10025) with LMTP id LtJnm67gCL6i; Sat, 4 Feb 2012 11:26:14 +0000 (WET) Received: from nebm.ist.utl.pt (unknown [IPv6:2001:690:2100:4::58:1]) by smtp2.ist.utl.pt (Postfix) with ESMTP id 99B7770003E1; Sat, 4 Feb 2012 11:26:14 +0000 (WET) Received: from localhost ([127.0.0.1] helo=nebm.ist.utl.pt) by nebm.ist.utl.pt with esmtp (Exim 4.72) (envelope-from ) id 1Rtdl0-0006U5-8s; Sat, 04 Feb 2012 11:26:14 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Date: Sat, 04 Feb 2012 12:26:14 +0100 To: Stas Malyshev Cc: =?UTF-8?Q?=C3=81ngel_Gonz=C3=A1lez?= , Organization: =?UTF-8?Q?N=C3=BAcleo_de_Engenharia_Biom=C3=A9dica_do_Insti?= =?UTF-8?Q?tuto_Superior_T=C3=A9cnico?= In-Reply-To: <4F2C58EB.6000907@sugarcrm.com> References: <4F2C4743.8070609@gmail.com> <4F2C58EB.6000907@sugarcrm.com> Message-ID: X-Sender: glopes@nebm.ist.utl.pt User-Agent: RoundCube Webmail/0.5.3 Subject: Re: [PHP-DEV] The case of HTTP response splitting protection in PHP From: glopes@nebm.ist.utl.pt (Gustavo Lopes) On Fri, 03 Feb 2012 14:00:11 -0800, Stas Malyshev wrote: > Hi! > >> As it's a security patch and of small scope, I would consider it for >> 5.4. Stas, David? > > Do we have unit tests for this code? The fix involves changes in > header sending so it may have impact on lots of code. Changes like > this can be dangerous. I'm thinking maybe we should wait with it > until > 5.4.1. This bug has now four tests and there are some other tests than include calls to header(). That said, I wouldn't consider this critical. This is only relevant if the programmer included user data in the header without validation. -- Gustavo Lopes