Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:75193
Return-Path: <solar@openwall.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 55019 invoked from network); 3 Jul 2014 06:13:08 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 3 Jul 2014 06:13:08 -0000
Authentication-Results: pb1.pair.com smtp.mail=solar@openwall.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=solar@openwall.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain openwall.com designates 195.42.179.200 as permitted sender)
X-PHP-List-Original-Sender: solar@openwall.com
X-Host-Fingerprint: 195.42.179.200 mother.openwall.net  
Received: from [195.42.179.200] ([195.42.179.200:61139] helo=mother.openwall.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 77/33-47713-374F4B35 for <internals@lists.php.net>; Thu, 03 Jul 2014 02:13:08 -0400
Received: (qmail 15987 invoked from network); 3 Jul 2014 06:13:04 -0000
Received: from localhost (HELO pvt.openwall.com) (127.0.0.1)
  by localhost with SMTP; 3 Jul 2014 06:13:04 -0000
Received: by pvt.openwall.com (Postfix, from userid 503)
	id 1C39D487DA; Thu,  3 Jul 2014 10:13:01 +0400 (MSK)
Date: Thu, 3 Jul 2014 10:13:01 +0400
To: Ferenc Kovacs <tyra3l@gmail.com>
Cc: Adam Harvey <aharvey@php.net>, Andrea Faulds <ajf@ajf.me>,
	Stas Malyshev <smalyshev@sugarcrm.com>,
	PHP internals <internals@lists.php.net>, D0znpp <d0znpp@onsec.ru>
Message-ID: <20140703061300.GC16494@openwall.com>
References: <20140703003646.GA12662@openwall.com> <53B4AC6E.5050401@sugarcrm.com> <F494C86C-44E9-4BBC-889F-ADEA38107612@ajf.me> <20140703012402.GA13015@openwall.com> <CADajX4CvRPVZ7P2UrEynXUJCSD2GCnMhP8zvy7+W29bnecTGGw@mail.gmail.com> <CAH-PCH5EbCz+80SyH1M8zqBR4WVqW4K_deDYbheZ5pkU1ch6HA@mail.gmail.com> <CAH-PCH6Pn1N5Xdsmj2xM16APYGUqU+nktFjwXTBfHN=ioFvqjA@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAH-PCH6Pn1N5Xdsmj2xM16APYGUqU+nktFjwXTBfHN=ioFvqjA@mail.gmail.com>
User-Agent: Mutt/1.4.2.3i
Subject: Re: [PHP-DEV] multiline HTTP headers support in header()
From: solar@openwall.com (Solar Designer)

On Thu, Jul 03, 2014 at 07:42:14AM +0200, Ferenc Kovacs wrote:
> and for the record, my irc history tells me that Nikita sent an email about
> http://lab.onsec.ru/2012/08/php-multiple-headers-bypass-available.html to
> security@php.net back in 2012-08-24, so maybe there were some discussion
> there which I'm missing.

I wasn't party to that discussion, but I think the issue was dismissed
as an IE bug at the time.  While there's an IE bug involved, I think it
was wrong to dismiss the issue.  Relevant tweets from 2012:

https://twitter.com/d0znpp/status/238778122160443392

Alexander