Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:57702 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 49565 invoked from network); 4 Feb 2012 15:30:28 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 4 Feb 2012 15:30:28 -0000 Authentication-Results: pb1.pair.com header.from=keisial@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=keisial@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.212.170 as permitted sender) X-PHP-List-Original-Sender: keisial@gmail.com X-Host-Fingerprint: 209.85.212.170 mail-wi0-f170.google.com Received: from [209.85.212.170] ([209.85.212.170:62552] helo=mail-wi0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 99/DF-08838-31F4D2F4 for ; Sat, 04 Feb 2012 10:30:28 -0500 Received: by wibhm4 with SMTP id hm4so4086311wib.29 for ; Sat, 04 Feb 2012 07:30:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=32S8zyU5VuGk3VXM6gcdgafV1MHC9dK3zmT/QYqCMjY=; b=uszl8kPQp4QSOUG9KzpTeQqGirFh6CTIFaw7NIMcOGQqf7Ys0r/Mu3ltOx3u0ZHm+D I7IPF1XUuQH4Qo0W31JSBsKlIGoq0XH0/gmb2ldJEiZxKH3+EIFJF+OexMEWf9If1Y0t v2i3cl3XGdQ2FxqyWIhBjfM/oVVKFL4tqCPPg= Received: by 10.180.82.227 with SMTP id l3mr16005370wiy.1.1328369424341; Sat, 04 Feb 2012 07:30:24 -0800 (PST) Received: from [192.168.1.26] ([80.28.69.71]) by mx.google.com with ESMTPS id j16sm28025983wie.4.2012.02.04.07.30.22 (version=SSLv3 cipher=OTHER); Sat, 04 Feb 2012 07:30:23 -0800 (PST) Message-ID: <4F2D5028.3010302@gmail.com> Date: Sat, 04 Feb 2012 16:35:04 +0100 User-Agent: Thunderbird MIME-Version: 1.0 To: Gustavo Lopes , PHP Developers Mailing List References: <4F2C4743.8070609@gmail.com> <4F2C6885.8080007@gmail.com> <525f07429768fc0057768837f210236c@nebm.ist.utl.pt> In-Reply-To: <525f07429768fc0057768837f210236c@nebm.ist.utl.pt> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Subject: Re: [PHP-DEV] The case of HTTP response splitting protection in PHP From: keisial@gmail.com (=?UTF-8?B?w4FuZ2VsIEdvbnrDoWxleg==?=) Gustavo Lopes wrote: > On Sat, 04 Feb 2012 00:06:45 +0100, Ángel González wrote: >> I've gone ahead and written code for that feature. Comments welcome. > > The comparison has a problem: if char is signed (the most common > scenario), you'll be making a signed comparison, so any character over > 0x7f will match (if it's an unsigned char, though, it will work, > because of the integer promotions and usual arithmetic conversions). > It suffices to replace ' ' with 0x20U. Yes. I woke up this morning thinking on it. That the line should have been if ((unsigned char)header_line[i] < 32) { I wouldn't have thought on using 0x20U instead of 32, but it seems that it would work, too. > Other than that, I am a little uncertain about the impact of this > strictness could have on current applications, even if if correct. In my humble opinion, there won't be applications using header continuation. PHP could even define that header() would only accept a single header with no line continuation with very little impact.