Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:75192
Return-Path: <solar@openwall.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 53521 invoked from network); 3 Jul 2014 06:08:44 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 3 Jul 2014 06:08:44 -0000
Authentication-Results: pb1.pair.com header.from=solar@openwall.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=solar@openwall.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain openwall.com designates 195.42.179.200 as permitted sender)
X-PHP-List-Original-Sender: solar@openwall.com
X-Host-Fingerprint: 195.42.179.200 mother.openwall.net  
Received: from [195.42.179.200] ([195.42.179.200:63615] helo=mother.openwall.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 13/E2-47713-B63F4B35 for <internals@lists.php.net>; Thu, 03 Jul 2014 02:08:44 -0400
Received: (qmail 12217 invoked from network); 3 Jul 2014 06:08:41 -0000
Received: from localhost (HELO pvt.openwall.com) (127.0.0.1)
  by localhost with SMTP; 3 Jul 2014 06:08:41 -0000
Received: by pvt.openwall.com (Postfix, from userid 503)
	id AC67C487DA; Thu,  3 Jul 2014 10:08:37 +0400 (MSK)
Date: Thu, 3 Jul 2014 10:08:37 +0400
To: Ferenc Kovacs <tyra3l@gmail.com>
Cc: Adam Harvey <aharvey@php.net>, Andrea Faulds <ajf@ajf.me>,
	Stas Malyshev <smalyshev@sugarcrm.com>,
	PHP internals <internals@lists.php.net>, D0znpp <d0znpp@onsec.ru>
Message-ID: <20140703060837.GB16494@openwall.com>
References: <20140703003646.GA12662@openwall.com> <53B4AC6E.5050401@sugarcrm.com> <F494C86C-44E9-4BBC-889F-ADEA38107612@ajf.me> <20140703012402.GA13015@openwall.com> <CADajX4CvRPVZ7P2UrEynXUJCSD2GCnMhP8zvy7+W29bnecTGGw@mail.gmail.com> <CAH-PCH5EbCz+80SyH1M8zqBR4WVqW4K_deDYbheZ5pkU1ch6HA@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAH-PCH5EbCz+80SyH1M8zqBR4WVqW4K_deDYbheZ5pkU1ch6HA@mail.gmail.com>
User-Agent: Mutt/1.4.2.3i
Subject: Re: [PHP-DEV] multiline HTTP headers support in header()
From: solar@openwall.com (Solar Designer)

On Thu, Jul 03, 2014 at 07:36:26AM +0200, Ferenc Kovacs wrote:
> If I'm reading this correctly this would reintroduce
> https://bugs.php.net/bug.php?id=60227

No.

> those checks aren't there to support header splitting but to prevent them,
> as "\r\n" isn't the only separator which will cause browsers to split the
> header.

Individual '\r' or '\n' may also separate headers in specific browsers,
yes.  We should continue to disallow them as well.

Adam's patch looks correct to me in this respect: strpbrk() returns
non-NULL when _any_ of the characters is found.

Why did the old code special-case NUL, though?  Should we possibly
preserve that?

Alexander