Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:75183 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 24105 invoked from network); 3 Jul 2014 01:05:55 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 3 Jul 2014 01:05:55 -0000 Authentication-Results: pb1.pair.com smtp.mail=smalyshev@sugarcrm.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=smalyshev@sugarcrm.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain sugarcrm.com designates 108.166.43.115 as permitted sender) X-PHP-List-Original-Sender: smalyshev@sugarcrm.com X-Host-Fingerprint: 108.166.43.115 smtp115.ord1c.emailsrvr.com Linux 2.6 Received: from [108.166.43.115] ([108.166.43.115:39347] helo=smtp115.ord1c.emailsrvr.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 6C/1E-47713-17CA4B35 for ; Wed, 02 Jul 2014 21:05:54 -0400 Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp7.relay.ord1c.emailsrvr.com (SMTP Server) with ESMTP id 57B763816B0; Wed, 2 Jul 2014 21:05:51 -0400 (EDT) X-Virus-Scanned: OK Received: by smtp7.relay.ord1c.emailsrvr.com (Authenticated sender: smalyshev-AT-sugarcrm.com) with ESMTPSA id 022B6381591; Wed, 2 Jul 2014 21:05:50 -0400 (EDT) Message-ID: <53B4AC6E.5050401@sugarcrm.com> Date: Wed, 02 Jul 2014 18:05:50 -0700 Organization: SugarCRM User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: Solar Designer , PHP internals CC: D0znpp References: <20140703003646.GA12662@openwall.com> In-Reply-To: <20140703003646.GA12662@openwall.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] multiline HTTP headers support in header() From: smalyshev@sugarcrm.com (Stas Malyshev) Hi! > Please drop multiline HTTP headers support from PHP header() because it > was never needed in that layer, it is a security risk in combination Why it's not needed in that layer? If you want to send a multiline header allowed by RFC 2616 (assuming you do want it, for undefined reasons), how else you do that? That's the only way to send headers in PHP as far as I can see. > with a certain IE bug, IE didn't support such multiline response headers > properly anyway, and they are deprecated by RFC 7230: So IE violates the RFC by misparsing the multiline headers? I'd say it's an one more reason to never use IE :) RFC 7230 indeed proposes to remove this capability, but it's not accepted yet, as far as I can see. We can probably drop this immediately for 5.6, for previous versions I'm not sure if anybody uses this feature. So if anybody knows any use of it, please tell, otherwise it's probably a good idea to kill it for stable versions too. > I brought this to Pierre Joye's attention on Twitter today, and he > agrees that "yes it should be removed" and asked me to "drop a mail to > internals". So I just did. Thank you! -- Stanislav Malyshev, Software Architect SugarCRM: http://www.sugarcrm.com/