Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:57703 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 52275 invoked from network); 4 Feb 2012 15:49:14 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 4 Feb 2012 15:49:14 -0000 Authentication-Results: pb1.pair.com header.from=glopes@nebm.ist.utl.pt; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=glopes@nebm.ist.utl.pt; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain nebm.ist.utl.pt from 193.136.128.21 cause and error) X-PHP-List-Original-Sender: glopes@nebm.ist.utl.pt X-Host-Fingerprint: 193.136.128.21 smtp1.ist.utl.pt Linux 2.6 Received: from [193.136.128.21] ([193.136.128.21:52096] helo=smtp1.ist.utl.pt) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 9C/20-08838-9735D2F4 for ; Sat, 04 Feb 2012 10:49:14 -0500 Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp1.ist.utl.pt (Postfix) with ESMTP id 148797000445 for ; Sat, 4 Feb 2012 15:49:10 +0000 (WET) X-Virus-Scanned: by amavisd-new-2.6.4 (20090625) (Debian) at ist.utl.pt Received: from smtp1.ist.utl.pt ([127.0.0.1]) by localhost (smtp1.ist.utl.pt [127.0.0.1]) (amavisd-new, port 10025) with LMTP id s7ll1WtPHsEx for ; Sat, 4 Feb 2012 15:49:09 +0000 (WET) Received: from nebm.ist.utl.pt (unknown [IPv6:2001:690:2100:4::58:1]) by smtp1.ist.utl.pt (Postfix) with ESMTP id C4DCF700042B for ; Sat, 4 Feb 2012 15:49:09 +0000 (WET) Received: from localhost ([127.0.0.1] helo=nebm.ist.utl.pt) by nebm.ist.utl.pt with esmtp (Exim 4.72) (envelope-from ) id 1RthrR-0007tu-DU for internals@lists.php.net; Sat, 04 Feb 2012 15:49:09 +0000 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Date: Sat, 04 Feb 2012 16:49:09 +0100 To: Organization: =?UTF-8?Q?N=C3=BAcleo_de_Engenharia_Biom=C3=A9dica_do_Insti?= =?UTF-8?Q?tuto_Superior_T=C3=A9cnico?= In-Reply-To: <4F2D5028.3010302@gmail.com> References: <4F2C4743.8070609@gmail.com> <4F2C6885.8080007@gmail.com> <525f07429768fc0057768837f210236c@nebm.ist.utl.pt> <4F2D5028.3010302@gmail.com> Message-ID: X-Sender: glopes@nebm.ist.utl.pt User-Agent: RoundCube Webmail/0.5.3 Subject: Re: [PHP-DEV] The case of HTTP response splitting protection in PHP From: glopes@nebm.ist.utl.pt (Gustavo Lopes) On Sat, 04 Feb 2012 16:35:04 +0100, Ángel González wrote: > Gustavo Lopes wrote: >> On Sat, 04 Feb 2012 00:06:45 +0100, Ángel González wrote: >>> I've gone ahead and written code for that feature. Comments >>> welcome. >> >> The comparison has a problem: if char is signed (the most common >> scenario), you'll be making a signed comparison, so any character >> over >> 0x7f will match (if it's an unsigned char, though, it will work, >> because of the integer promotions and usual arithmetic conversions). >> It suffices to replace ' ' with 0x20U. > Yes. I woke up this morning thinking on it. That the line should have > been > if ((unsigned char)header_line[i] < 32) { > > I wouldn't have thought on using 0x20U instead of 32, but it seems > that > it would work, too. > >> Other than that, I am a little uncertain about the impact of this >> strictness could have on current applications, even if if correct. > In my humble opinion, there won't be applications using header > continuation. PHP could even define that header() would only > accept a single header with no line continuation with very little > impact. There's another problem. HTs are allowed in headers, but your patch forbids them. And I think forbidding other C0 characters may be a good idea, but not for the stable releases. -- Gustavo Lopes