Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:75182
Return-Path: <solar@openwall.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 22249 invoked from network); 3 Jul 2014 00:50:24 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 3 Jul 2014 00:50:24 -0000
Authentication-Results: pb1.pair.com smtp.mail=solar@openwall.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=solar@openwall.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain openwall.com designates 195.42.179.200 as permitted sender)
X-PHP-List-Original-Sender: solar@openwall.com
X-Host-Fingerprint: 195.42.179.200 mother.openwall.net  
Received: from [195.42.179.200] ([195.42.179.200:61326] helo=mother.openwall.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id B3/CD-47713-FC8A4B35 for <internals@lists.php.net>; Wed, 02 Jul 2014 20:50:24 -0400
Received: (qmail 5284 invoked from network); 3 Jul 2014 00:50:21 -0000
Received: from localhost (HELO pvt.openwall.com) (127.0.0.1)
  by localhost with SMTP; 3 Jul 2014 00:50:21 -0000
Received: by pvt.openwall.com (Postfix, from userid 503)
	id DA904487DA; Thu,  3 Jul 2014 04:50:17 +0400 (MSK)
Date: Thu, 3 Jul 2014 04:50:17 +0400
To: Andrea Faulds <ajf@ajf.me>
Cc: PHP internals <internals@lists.php.net>, D0znpp <d0znpp@onsec.ru>
Message-ID: <20140703005017.GA12807@openwall.com>
References: <20140703003646.GA12662@openwall.com> <EC37EE63-1B35-4E91-A943-3C75C94EA5A6@ajf.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <EC37EE63-1B35-4E91-A943-3C75C94EA5A6@ajf.me>
User-Agent: Mutt/1.4.2.3i
Subject: Re: [PHP-DEV] multiline HTTP headers support in header()
From: solar@openwall.com (Solar Designer)

On Thu, Jul 03, 2014 at 01:40:15AM +0100, Andrea Faulds wrote:
> On 3 Jul 2014, at 01:36, Solar Designer <solar@openwall.com> wrote:
> > Please drop multiline HTTP headers support from PHP header()
> 
> Would this be a backwards-compatibility break?

Technically, yes.

In practice, I expect that there are no PHP apps that make use of this
feature.

> We could convert multi-line headers into single-line headers, I suppose, but surely it would still break BC?

Yes, and I think it's not a good idea anyway.

Why would header() want to support multiline headers on input to that
PHP function anyway, even with old HTTP RFC that included such support
at HTTP protocol level?  I see no valid reason.  Was such support
declared anywhere in the documentation, or does it simply happen to be
present in the code as an obscure feature?  I guess it's the latter.

> Be that the case, we should probably only do this for PHP 6. Though I wonder if multi-line headers are obscure enough, and the security benefits justifiable enough, that we could do it in 5.7.

I suggest doing it for 5.4.  The new HTTP RFC is already out, so why
keep an undocumented(?) and dangerous misfeature to produce headers that
are already deprecated by the current RFC?

You just need to document the change.

Alexander