cURL / Mailing Lists / curl-library / Single Mail


RE: [Bug] HTTP header splitting in curl for PHP

From: Daniel Stenberg <>
Date: Wed, 9 Mar 2011 08:23:53 +0100 (CET)

On Wed, 9 Mar 2011, Gabriel Totoliciu wrote:

> I won't speak for the PHP/CURL authors, but I can mention that I don't think
> libcurl should do that operation on passed-in headers. I see no reason, and
> I also think that apps have actually already found use for that hidden
> feature in the past. (That's a slightly separate story and in itself mostly
> due to libcurls inability to allow an added header with nothing on the right
> side of the colon.)
> Ah, I see. It was more of a security concern that I had.

I figured so, but I don't see the concern.

If you control the code that can add CRLF into a header as you described, then
you can just as well add entirely new headers, or insert a zero-byte in there
or otherwise change the code to do just about anything... The CRLF would then
be a very minor thing in comparison.

> Anyway, you have to agree that this is kind of a dirty way to achieve the
> result you described.

I do. But it is also the results of providing an API and sticking with it, as
then you sometimes find yourself in a position where you can't change existing
behavior and yet want to allow users certain features that the existing API
was a bit too limiting to allow in a conveniant way...

List admin:
Received on 2011-03-09