Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:75188 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 46773 invoked from network); 3 Jul 2014 05:33:55 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 3 Jul 2014 05:33:55 -0000 Authentication-Results: pb1.pair.com smtp.mail=tyra3l@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=tyra3l@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.50 as permitted sender) X-PHP-List-Original-Sender: tyra3l@gmail.com X-Host-Fingerprint: 209.85.216.50 mail-qa0-f50.google.com Received: from [209.85.216.50] ([209.85.216.50:58487] helo=mail-qa0-f50.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 60/81-47713-04BE4B35 for ; Thu, 03 Jul 2014 01:33:53 -0400 Received: by mail-qa0-f50.google.com with SMTP id m5so9702039qaj.37 for ; Wed, 02 Jul 2014 22:33:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=ChThrcHGMN43Ev89mzXnZ90CpPyj5pHiGEaFW94k+Nc=; b=JtA4WZKwb+RRjyCcKT62xQMMIXd0pdM7RVtXZN8PGw/orEDtEyN10gvD69yyJhqWxL oktOBBdcJHYJ/PXaCjCQP5B44WuFV4yIsBHjLR88RWqbkOM96nNUzmnexQhEMQZixS5q ZTrKNnIEdXlUsE0zIbo3t0pXMgkyvdPJ8beTr35H+wAJBU9TWaeLMII9sohxdeLu8cPD H45D9nSaTIBtVtEDckskmmrdxX9/uQ0+UMQxGZ20mPcxRdqaSL3GEyVQVh/zPmQXKX4B THfB7hBarc2CRKJ3OBz1FKadNlUQ7RVOYMOd3dD7PxnhrHhj5YryYRfM+jZ+n2cxhctE Es/Q== MIME-Version: 1.0 X-Received: by 10.140.92.167 with SMTP id b36mr3431744qge.97.1404365629585; Wed, 02 Jul 2014 22:33:49 -0700 (PDT) Received: by 10.140.47.175 with HTTP; Wed, 2 Jul 2014 22:33:49 -0700 (PDT) In-Reply-To: <20140703003646.GA12662@openwall.com> References: <20140703003646.GA12662@openwall.com> Date: Thu, 3 Jul 2014 07:33:49 +0200 Message-ID: To: Solar Designer Cc: PHP internals , D0znpp Content-Type: multipart/alternative; boundary=001a1139c3a27c7edd04fd435af2 Subject: Re: [PHP-DEV] multiline HTTP headers support in header() From: tyra3l@gmail.com (Ferenc Kovacs) --001a1139c3a27c7edd04fd435af2 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On Thu, Jul 3, 2014 at 2:36 AM, Solar Designer wrote: > Hi, > > Please drop multiline HTTP headers support from PHP header() because it > was never needed in that layer, it is a security risk in combination > with a certain IE bug, IE didn't support such multiline response headers > properly anyway, and they are deprecated by RFC 7230: > > https://twitter.com/d0znpp/status/483147480843186176 > http://lab.onsec.ru/2012/08/php-multiple-headers-bypass-available.html > http://tools.ietf.org/html/rfc7230#section-3.2.4 > > I brought this to Pierre Joye's attention on Twitter today, and he > agrees that "yes it should be removed" and asked me to "drop a mail to > internals". So I just did. > > Alexander > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > maybe I'm missing something here, but we don't really "support" multiline headers with header() anymore since 5.1.2, but from time to time this issue resurfaces, mostly because some browsers split header lines on other characters (https://bugs.php.net/bug.php?id=3D60227 and http://lab.onsec.ru/2012/08/php-multiple-headers-bypass-available.html) than we originally assumed or what the RFC 2616 allows. so I'm not sure how could we fix this other than a one-by-one basis when we find another browser quirk like this. --=20 Ferenc Kov=C3=A1cs @Tyr43l - http://tyrael.hu --001a1139c3a27c7edd04fd435af2--