On Sun, Dec 16, 2012 at 7:12 PM, canyonknight <[email protected]> wrote: > This implementation is susceptible to HTTP header injection.
Ok. You mean in the current 'Location:' line without filtering 0x0a and 0x0d? > Also note > the usage of $_SERVER['REQUEST_URI'] had previously been eliminated > with commit 630f1cbae8473fb05e5f5af7244eccc60fe93812. If we can't trust $_SERVER['REQUEST_URI'], then how should we determine the current URL? Using $_SERVER['PATH_INFO'] and $_SERVER['QUERY_STRING']? Or are these also susceptible to manipulation? Regards, Marcel
