On Tue, 8 Mar 2011, Gabriel Totoliciu wrote:
(I'm not sure if this is the correct mailing list for curl for php bug reports. Please advise with the proper mailing list if this is the wrong one.)
The PHP/CURL binding is written by the PHP team, file bug reports in their bug tracker: http://bugs.php.net/
Inserting CRLF into a header value splits the header into different headers. This behavior seems to be a potential security problem.
Right, but... why do you insert CRLF into headers unless you really want the subsequent behavior?
Since curl for php allows the programmer to give an *array of headers* as the CURLOPT_HTTPHEADER parameter, it should convert the CRLF characters to either CRLFSP or SP according to the RFC.
I won't speak for the PHP/CURL authors, but I can mention that I don't think libcurl should do that operation on passed-in headers. I see no reason, and I also think that apps have actually already found use for that hidden feature in the past. (That's a slightly separate story and in itself mostly due to libcurls inability to allow an added header with nothing on the right side of the colon.)
-- / daniel.haxx.se ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
