Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:75186
Return-Path: <solar@openwall.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 29117 invoked from network); 3 Jul 2014 01:24:08 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 3 Jul 2014 01:24:08 -0000
Authentication-Results: pb1.pair.com header.from=solar@openwall.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=solar@openwall.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain openwall.com designates 195.42.179.200 as permitted sender)
X-PHP-List-Original-Sender: solar@openwall.com
X-Host-Fingerprint: 195.42.179.200 mother.openwall.net  
Received: from [195.42.179.200] ([195.42.179.200:64767] helo=mother.openwall.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 28/2F-47713-7B0B4B35 for <internals@lists.php.net>; Wed, 02 Jul 2014 21:24:07 -0400
Received: (qmail 1747 invoked from network); 3 Jul 2014 01:24:04 -0000
Received: from localhost (HELO pvt.openwall.com) (127.0.0.1)
  by localhost with SMTP; 3 Jul 2014 01:24:04 -0000
Received: by pvt.openwall.com (Postfix, from userid 503)
	id 84305487DA; Thu,  3 Jul 2014 05:24:02 +0400 (MSK)
Date: Thu, 3 Jul 2014 05:24:02 +0400
To: Andrea Faulds <ajf@ajf.me>
Cc: Stas Malyshev <smalyshev@sugarcrm.com>,
	PHP internals <internals@lists.php.net>, D0znpp <d0znpp@onsec.ru>
Message-ID: <20140703012402.GA13015@openwall.com>
References: <20140703003646.GA12662@openwall.com> <53B4AC6E.5050401@sugarcrm.com> <F494C86C-44E9-4BBC-889F-ADEA38107612@ajf.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <F494C86C-44E9-4BBC-889F-ADEA38107612@ajf.me>
User-Agent: Mutt/1.4.2.3i
Subject: Re: [PHP-DEV] multiline HTTP headers support in header()
From: solar@openwall.com (Solar Designer)

On Thu, Jul 03, 2014 at 02:09:05AM +0100, Andrea Faulds wrote:
> On 3 Jul 2014, at 02:05, Stas Malyshev <smalyshev@sugarcrm.com> wrote:
> > So IE violates the RFC by misparsing the multiline headers? I'd say it's
> > an one more reason to never use IE :) RFC 7230 indeed proposes to remove
> > this capability, but it's not accepted yet, as far as I can see. We can
> > probably drop this immediately for 5.6, for previous versions I'm not
> > sure if anybody uses this feature. So if anybody knows any use of it,
> > please tell, otherwise it's probably a good idea to kill it for stable
> > versions too.
> 
> As I?ve had to implement HTTP myself for a particular non-PHP application, I?ve read the original HTTP/1.1 RFC. As far as I know, multi-line headers are semantically equivalent to single-line headers, so couldn?t we just ?flatten? them automatically? It shouldn?t break anything unless you?re deliberately misusing header().

I think we could, and your analysis looks correct to me, but I see no
good enough reason to go for the extra complexity.  Having a function
defined in a more complicated manner and implemented with more code is
asking for more bugs and mis-interactions.

Alexander