> Yasuo Ohgaki wrote: > > This obvious security risk is mentioned in bugtraq today. > > > > IMHO, this is users' fault. They must check values before > > using it. In this specfic case, user should use simple regex > > before feeding str to header(). > > > > Any opinion to meke this to "won't fix"? > > One thing we could do is force header parameter a single line. > Any idea it may broke applications? >
Don't do that. (seriously, the thing i'm working on right now relies on abusing the http protocol... this is one way i'm doing it...) -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
