Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:75180
Return-Path: <solar@openwall.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 19104 invoked from network); 3 Jul 2014 00:36:55 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 3 Jul 2014 00:36:55 -0000
Authentication-Results: pb1.pair.com smtp.mail=solar@openwall.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=solar@openwall.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain openwall.com designates 195.42.179.200 as permitted sender)
X-PHP-List-Original-Sender: solar@openwall.com
X-Host-Fingerprint: 195.42.179.200 mother.openwall.net  
Received: from [195.42.179.200] ([195.42.179.200:62552] helo=mother.openwall.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id D6/1D-47713-3A5A4B35 for <internals@lists.php.net>; Wed, 02 Jul 2014 20:36:52 -0400
Received: (qmail 22123 invoked from network); 3 Jul 2014 00:36:48 -0000
Received: from localhost (HELO pvt.openwall.com) (127.0.0.1)
  by localhost with SMTP; 3 Jul 2014 00:36:48 -0000
Received: by pvt.openwall.com (Postfix, from userid 503)
	id 4EE90487DA; Thu,  3 Jul 2014 04:36:46 +0400 (MSK)
Date: Thu, 3 Jul 2014 04:36:46 +0400
To: PHP internals <internals@lists.php.net>
Cc: D0znpp <d0znpp@onsec.ru>
Message-ID: <20140703003646.GA12662@openwall.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4.2.3i
Subject: multiline HTTP headers support in header()
From: solar@openwall.com (Solar Designer)

Hi,

Please drop multiline HTTP headers support from PHP header() because it
was never needed in that layer, it is a security risk in combination
with a certain IE bug, IE didn't support such multiline response headers
properly anyway, and they are deprecated by RFC 7230:

https://twitter.com/d0znpp/status/483147480843186176
http://lab.onsec.ru/2012/08/php-multiple-headers-bypass-available.html
http://tools.ietf.org/html/rfc7230#section-3.2.4

I brought this to Pierre Joye's attention on Twitter today, and he
agrees that "yes it should be removed" and asked me to "drop a mail to
internals".  So I just did.

Alexander