cURL / Mailing Lists / curl-library / Single Mail


Re: [Bug] HTTP header splitting in curl for PHP

From: Daniel Stenberg <>
Date: Wed, 9 Mar 2011 00:44:57 +0100 (CET)

On Tue, 8 Mar 2011, Gabriel Totoliciu wrote:

> (I'm not sure if this is the correct mailing list for curl for php bug
> reports. Please advise with the proper mailing list if this is the wrong
> one.)

The PHP/CURL binding is written by the PHP team, file bug reports in their bug

> Inserting CRLF into a header value splits the header into different headers.
> This behavior seems to be a potential security problem.

Right, but... why do you insert CRLF into headers unless you really want the
subsequent behavior?

> Since curl for php allows the programmer to give an *array of headers* as
> the CURLOPT_HTTPHEADER parameter, it should convert the CRLF characters to
> either CRLFSP or SP according to the RFC.

I won't speak for the PHP/CURL authors, but I can mention that I don't think
libcurl should do that operation on passed-in headers. I see no reason, and I
also think that apps have actually already found use for that hidden feature
in the past. (That's a slightly separate story and in itself mostly due to
libcurls inability to allow an added header with nothing on the right side of
the colon.)

List admin:
Received on 2011-03-09