Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:75185
Return-Path: <solar@openwall.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 27584 invoked from network); 3 Jul 2014 01:20:46 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 3 Jul 2014 01:20:46 -0000
Authentication-Results: pb1.pair.com header.from=solar@openwall.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=solar@openwall.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain openwall.com designates 195.42.179.200 as permitted sender)
X-PHP-List-Original-Sender: solar@openwall.com
X-Host-Fingerprint: 195.42.179.200 mother.openwall.net  
Received: from [195.42.179.200] ([195.42.179.200:63868] helo=mother.openwall.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 33/DE-47713-CEFA4B35 for <internals@lists.php.net>; Wed, 02 Jul 2014 21:20:45 -0400
Received: (qmail 30598 invoked from network); 3 Jul 2014 01:20:42 -0000
Received: from localhost (HELO pvt.openwall.com) (127.0.0.1)
  by localhost with SMTP; 3 Jul 2014 01:20:42 -0000
Received: by pvt.openwall.com (Postfix, from userid 503)
	id 8FE1C487DA; Thu,  3 Jul 2014 05:20:40 +0400 (MSK)
Date: Thu, 3 Jul 2014 05:20:40 +0400
To: Stas Malyshev <smalyshev@sugarcrm.com>
Cc: PHP internals <internals@lists.php.net>, D0znpp <d0znpp@onsec.ru>
Message-ID: <20140703012040.GA12971@openwall.com>
References: <20140703003646.GA12662@openwall.com> <53B4AC6E.5050401@sugarcrm.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <53B4AC6E.5050401@sugarcrm.com>
User-Agent: Mutt/1.4.2.3i
Subject: Re: [PHP-DEV] multiline HTTP headers support in header()
From: solar@openwall.com (Solar Designer)

Hi Stas,

On Wed, Jul 02, 2014 at 06:05:50PM -0700, Stas Malyshev wrote:
> > Please drop multiline HTTP headers support from PHP header() because it
> > was never needed in that layer, it is a security risk in combination
> 
> Why it's not needed in that layer? If you want to send a multiline
> header allowed by RFC 2616 (assuming you do want it, for undefined
> reasons), how else you do that? That's the only way to send headers in
> PHP as far as I can see.

As you say, "for undefined reasons".  I am unaware of a good reason for
a PHP app to want to explicitly do that.  Stretching my imagination, I'd
think a valid reason would be if someone were implementing an HTTP
client/proxy, and wanted to pass the received headers on to another HTTP
client unaltered (including even their protocol level representation).
I think PHP's header() function shouldn't be intended for such use,
especially as it doesn't guarantee there are no extra headers and that
the headers come in a particular order (so it's not "unaltered" anyway).
In other words, PHP header() is not a sufficiently low-level interface
for the existence of individual low-level features in it to matter.
I think it should be a medium-level interface (so to speak), providing
only the somewhat abstract functionality of "set this HTTP header to
this value", without exposing the aspect of how exactly that is done.

> > with a certain IE bug, IE didn't support such multiline response headers
> > properly anyway, and they are deprecated by RFC 7230:
> 
> So IE violates the RFC by misparsing the multiline headers?

That's my current understanding, based on D0znpp's testing.

Alexander