On September 7, 2002 09:58 pm, Yasuo Ohgaki wrote: > This obvious security risk is mentioned in bugtraq today. > > IMHO, this is users' fault. They must check values before > using it. In this specfic case, user should use simple regex > before feeding str to header(). > > Any opinion to meke this to "won't fix"?
I agree with you that this is indeed a user's fault. It is up to the user to make sure their applications validate inpuit before passing it to various functions. > One thing we could do is force header parameter a single line. > Any idea it may broke applications? I do not think we should force header to be one line only, some people may use the ability to send multiline headers in their applications, which is pretty useful if you need to sent many headers at once and want to save a few header() function calls. Ilia -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
