Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:75191
Return-Path: <solar@openwall.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 52094 invoked from network); 3 Jul 2014 06:05:24 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 3 Jul 2014 06:05:24 -0000
Authentication-Results: pb1.pair.com smtp.mail=solar@openwall.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=solar@openwall.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain openwall.com designates 195.42.179.200 as permitted sender)
X-PHP-List-Original-Sender: solar@openwall.com
X-Host-Fingerprint: 195.42.179.200 mother.openwall.net  
Received: from [195.42.179.200] ([195.42.179.200:63965] helo=mother.openwall.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 4F/82-47713-2A2F4B35 for <internals@lists.php.net>; Thu, 03 Jul 2014 02:05:23 -0400
Received: (qmail 10146 invoked from network); 3 Jul 2014 06:05:20 -0000
Received: from localhost (HELO pvt.openwall.com) (127.0.0.1)
  by localhost with SMTP; 3 Jul 2014 06:05:20 -0000
Received: by pvt.openwall.com (Postfix, from userid 503)
	id 942E0487DA; Thu,  3 Jul 2014 10:05:12 +0400 (MSK)
Date: Thu, 3 Jul 2014 10:05:12 +0400
To: Ferenc Kovacs <tyra3l@gmail.com>
Cc: PHP internals <internals@lists.php.net>, D0znpp <d0znpp@onsec.ru>
Message-ID: <20140703060512.GA16494@openwall.com>
References: <20140703003646.GA12662@openwall.com> <CAH-PCH4a+7r0=5sJFiPTrKQVMbtdfZWA3bEPfYCziN0OWJfQcA@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAH-PCH4a+7r0=5sJFiPTrKQVMbtdfZWA3bEPfYCziN0OWJfQcA@mail.gmail.com>
User-Agent: Mutt/1.4.2.3i
Subject: Re: [PHP-DEV] multiline HTTP headers support in header()
From: solar@openwall.com (Solar Designer)

On Thu, Jul 03, 2014 at 07:33:49AM +0200, Ferenc Kovacs wrote:
> maybe I'm missing something here,

I guess so.

> but we don't really "support" multiline
> headers with header() anymore since 5.1.2,

If you mean bug 60227, then you're confusing things here.  That bug was
about having multiple headers sent by header().  I am talking about
individual multiline headers.

> but from time to time this issue
> resurfaces, mostly because some browsers split header lines on other
> characters (https://bugs.php.net/bug.php?id=60227 and
> http://lab.onsec.ru/2012/08/php-multiple-headers-bypass-available.html)
> than we originally assumed or what the RFC 2616 allows.
> so I'm not sure how could we fix this other than a one-by-one basis when we
> find another browser quirk like this.

I've seen bug 60227 before.  We shouldn't reintroduce that bug, but we
should drop support for multiline headers.  There's no contradiction.

Alexander