On Fri, Feb 20, 2015 at 3:45 PM, Stanislav Malyshev <smalys...@gmail.com>
wrote:
> Hi!
>
> > cc'ing Stas as he was the author for this change.
> > but from my understanding this isn't a problem as we disallow setting
> > multiple headers in a single header() call for years (even though we had
> > a regression at one point).
>
> Well, we allowed multiline headers but it is an extremely exotic feature
> which is now dropped from the HTTP/1.1 standard, and also it causes
> security issues with IE users since IE never supported that feature
> properly. So given that I've decided to remove it even though strictly
> speaking it is a BC break (same goes for the HTTP standard).
>
duh, should have checked the commit first.
so since php 5.1.2 we were disallowing multiple headers to be set in the
same header() call (as in header("Foo: bar\r\nBaz: foo");) but we still
kept the ability to have multiline headers (as in header("Foo: bar\r\n
baz");)
which still caused some problem for some browser, so we had a discussion
about removing multiline header support altogether:
http://comments.gmane.org/gmane.comp.php.devel/88039
so Florian is correct that this is a BC break (albeit in a less
known/discouraged feature which was causing security problems over the
years).
