On Tue, 8 Mar 2011, Gabriel Totoliciu wrote:

> (I'm not sure if this is the correct mailing list for curl for php bug
> reports. Please advise with the proper mailing list if this is the wrong
> one.)

The PHP/CURL binding is written by the PHP team, file bug reports in their bug
tracker: http://bugs.php.net/

> Inserting CRLF into a header value splits the header into different headers.
> This behavior seems to be a potential security problem.

Right, but... why do you insert CRLF into headers unless you really want the
subsequent behavior?

> Since curl for php allows the programmer to give an *array of headers* as
> the CURLOPT_HTTPHEADER parameter, it should convert the CRLF characters to
> either CRLFSP or SP according to the RFC.

I won't speak for the PHP/CURL authors, but I can mention that I don't think
libcurl should do that operation on passed-in headers. I see no reason, and I
also think that apps have actually already found use for that hidden feature
in the past. (That's a slightly separate story and in itself mostly due to
libcurls inability to allow an added header with nothing on the right side of
the colon.)

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html