|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesSAPI.diff (last revision 2011-11-06 07:05 UTC by rui_hirokawa at yahoo dot co dot jp)Pull RequestsHistoryAllCommentsChangesGit/SVN commits
[2011-11-06 11:07 UTC] hirokawa@php.net
[2011-11-06 11:19 UTC] hirokawa@php.net
[2011-11-06 11:19 UTC] hirokawa@php.net
-Status: Open
+Status: Closed
-Assigned To:
+Assigned To: hirokawa
[2011-11-10 14:24 UTC] hirokawa@php.net
[2012-01-14 07:40 UTC] hirokawa@php.net
[2012-02-02 18:24 UTC] cataphract@php.net
[2012-02-03 08:48 UTC] cataphract@php.net
[2012-02-03 13:56 UTC] cataphract@php.net
[2012-03-07 07:49 UTC] stas@php.net
[2012-03-12 14:34 UTC] neweracracker at gmail dot com
[2012-04-18 09:47 UTC] laruence@php.net
[2012-07-24 23:39 UTC] rasmus@php.net
[2013-11-17 09:35 UTC] laruence@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Thu Oct 30 22:00:01 2025 UTC |
Description: ------------ As of PHP 5.1.2, header() can no longer be used to send multiple response headers in a single call to prevent the HTTP Response Splitting Attack. header() only checks the linefeed (LF, 0x0A) as line-end marker, it doesn't check the carriage-return (CR, 0x0D). However, some browsers including Google Chrome, IE also recognize CR as the line- end (it is reported by Mr. Tokumaru). The current specification of header() still has the vulnerability against the HTTP header splitting attack. Test script: --------------- <?php header('Location: '.$_GET['url']); print_r($_COOKIE); ?> accessed from the url like: http://example.com/head1.php?url=http://example.com/head1.php%0DSet-Cookie:+NAME=foo It should be executed with Google Chrome or IE. Expected result: ---------------- Warning: Header may not contain more than a single header, new line detected. in /xxxx/head1.php on line 2 Array ( ) Actual result: -------------- Array (NAME=>'foo')