Headers: forbid \r and \n also after \0, allow CRLF followed by HT or SP and forbid \0. See bug #60227.
Conflicts:
ext/standard/tests/general_functions/bug60227.phpt
ext/standard/tests/general_functions/bug60227_1.phpt
ext/standard/tests/general_functions/bug60227_2.phpt
main/SAPI.c
to be called as all the headers are being sent and after all
of the default headers have been merged.
headers_list(), header_remove() and header() can all be used
inside the callback.
<?php
header('Content-Type: text/plain');
header('X-Test: foo');
function foo() {
foreach (headers_list() as $header) {
if (strpos($header, 'X-Powered') !== false) {
header_remove('X-Powered-By');
}
header_remove('X-Test');
}
}
$result = header_register_callback('foo');
echo "a";
disabled when the header "Content-length" is set.
#One could argue that any output handler could change the size of the
#response, so this exception for zlib.output_compression is an
#inconsistency. However, zlib.output_compression is presented as a
#performance setting, whose value should have no effect on the
#correctness of the scripts. This was not the case. Setting the
#header "content-length" and enabling zlib.output_compression was
#a recipe for infringing section 4.4 of RFC 2616.
disabled when the header "Content-length" is set.
#One could argue that any output handler could change the size of the
#response, so this exception for zlib.output_compression is an
#inconsistency. However, zlib.output_compression is presented as a
#performance setting, whose value should have no effect on the
#correctness of the scripts. This was not the case. Setting the
#header "content-length" and enabling zlib.output_compression was
#a recipe for infringing section 4.4 of RFC 2616.
requests--let's see what I can dig out of the bugtracker for NEWS--
and while crossing the road:
* implemented new zlib API
* fixed up ext/tidy (what was "s&" in zend_parse_parameters() supposed to do?)
Thanks to Jani and Felipe for pioneering.
* Removed ini options, safe_mode*
* Removed --enable-safe-mode --with-exec-dir configure options on Unix
* Updated extensions, SAPI's and core
* php_get_current_user() is now declared in main.c, thrus no need to include safe_mode.h anymore
I am sorry I tried fixing PHP without extensive discussion on the mailing list.
I am sorry I tried fixing PHP without extensive discussion on the mailing list.
Hope all the relevant parties are satisfied.
