Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:75196 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 60126 invoked from network); 3 Jul 2014 06:33:28 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 3 Jul 2014 06:33:28 -0000 Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.53 as permitted sender) X-PHP-List-Original-Sender: pierre.php@gmail.com X-Host-Fingerprint: 209.85.192.53 mail-qg0-f53.google.com Received: from [209.85.192.53] ([209.85.192.53:45977] helo=mail-qg0-f53.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 9C/44-47713-739F4B35 for ; Thu, 03 Jul 2014 02:33:27 -0400 Received: by mail-qg0-f53.google.com with SMTP id i50so5677158qgf.26 for ; Wed, 02 Jul 2014 23:33:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=K863B3POE4E+0QzYEWr2Y744DWUID8H6srCrl86hzCw=; b=CLIx4GDsSTg+EfKb5dpEeC7voUm6kcvZ1HLTYHIrJOcijipDdOjTpWDqZgJguJpy8o pjdC/PJGQkJUcy1myN9smsUFRCaAxeAtyaKvqhidfLGVWyYKmLjaq/i62cSLVwHLWhTc yVdnF83RUeJYO6As6nkpnH4lfv1ZszBIuO4SMOIWwG4xDEq6Pl6n5FLcu/RLUL7uAMrb LktV3a3wTD5pPww/aePzqGb2YMhHs9Qkt9G2Dj6mp3dETz+j0uV0dTmy6IgDbejdcx5e oy40BF5gPWeOceM7rum32pYaAvjV0RycP7VGj6Y8hzieLlUZV+UxtBGKfqdYmh9YDF6T Zdlg== MIME-Version: 1.0 X-Received: by 10.224.111.196 with SMTP id t4mr3998542qap.63.1404369204969; Wed, 02 Jul 2014 23:33:24 -0700 (PDT) Received: by 10.140.28.183 with HTTP; Wed, 2 Jul 2014 23:33:24 -0700 (PDT) Received: by 10.140.28.183 with HTTP; Wed, 2 Jul 2014 23:33:24 -0700 (PDT) In-Reply-To: <20140703003646.GA12662@openwall.com> References: <20140703003646.GA12662@openwall.com> Date: Thu, 3 Jul 2014 08:33:24 +0200 Message-ID: To: Solar Designer Cc: D0znpp , PHP internals Content-Type: multipart/alternative; boundary=001a11c2d6009885a104fd442f34 Subject: Re: [PHP-DEV] multiline HTTP headers support in header() From: pierre.php@gmail.com (Pierre Joye) --001a11c2d6009885a104fd442f34 Content-Type: text/plain; charset=UTF-8 On Jul 3, 2014 2:37 AM, "Solar Designer" wrote: > > Hi, > > Please drop multiline HTTP headers support from PHP header() because it > was never needed in that layer, it is a security risk in combination > with a certain IE bug, IE didn't support such multiline response headers > properly anyway, and they are deprecated by RFC 7230: > > https://twitter.com/d0znpp/status/483147480843186176 > http://lab.onsec.ru/2012/08/php-multiple-headers-bypass-available.html > http://tools.ietf.org/html/rfc7230#section-3.2.4 > > I brought this to Pierre Joye's attention on Twitter today, and he > agrees that "yes it should be removed" and asked me to "drop a mail to > internals". So I just did. I confirm and reiterate my +1 here Thanks for bringing this topic back to internals. Cheers, Pierre --001a11c2d6009885a104fd442f34--