On Wed, 9 Mar 2011, Gabriel Totoliciu wrote:

> I won't speak for the PHP/CURL authors, but I can mention that I don't think
> libcurl should do that operation on passed-in headers. I see no reason, and
> I also think that apps have actually already found use for that hidden
> feature in the past. (That's a slightly separate story and in itself mostly
> due to libcurls inability to allow an added header with nothing on the right
> side of the colon.)
>
> Ah, I see. It was more of a security concern that I had.

I figured so, but I don't see the concern.

If you control the code that can add CRLF into a header as you described, then
you can just as well add entirely new headers, or insert a zero-byte in there
or otherwise change the code to do just about anything... The CRLF would then
be a very minor thing in comparison.

> Anyway, you have to agree that this is kind of a dirty way to achieve the
> result you described.

I do. But it is also the results of providing an API and sticking with it, as
then you sometimes find yourself in a position where you can't change existing
behavior and yet want to allow users certain features that the existing API
was a bit too limiting to allow in a conveniant way...

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html