> The PHP/CURL binding is written by the PHP team, file bug reports in their bug > tracker: http://bugs.php.net/
Thanks, I'll send it there. >> Inserting CRLF into a header value splits the header into different headers. >> This behavior seems to be a potential security problem. >Right, but... why do you insert CRLF into headers unless you really want the subsequent behavior? >> Since curl for php allows the programmer to give an *array of headers* >> as the CURLOPT_HTTPHEADER parameter, it should convert the CRLF >> characters to either CRLFSP or SP according to the RFC. >I won't speak for the PHP/CURL authors, but I can mention that I don't think libcurl should do that operation on passed-in headers. I see no reason, and I also think that apps have actually already found use for that hidden feature in the past. (That's a slightly separate story and in itself mostly due to libcurls inability to allow an added header with nothing on the right side of the colon.) Ah, I see. It was more of a security concern that I had. Anyway, you have to agree that this is kind of a dirty way to achieve the result you described. Gabriel ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
