- More fixes

author: Dries Buytaert <dries@buytaert.net> 2005-11-30 15:31:23 +0000
committer: Dries Buytaert <dries@buytaert.net> 2005-11-30 15:31:23 +0000
commit: a74ebcc87a63628f8c4e0ea35a694b8f299c0633 (patch)
tree: 02197e34fb608a69537b6f3b2b1790134ab2c598 /includes/file.inc
parent: 17ec644763bb46af1a17b858accaaa2ff9fb9693 (diff)
download: brdo-a74ebcc87a63628f8c4e0ea35a694b8f299c0633.tar.gz
brdo-a74ebcc87a63628f8c4e0ea35a694b8f299c0633.tar.bz2
1 files changed, 4 insertions, 0 deletions
diff --git a/includes/file.inc b/includes/file.inc
index dca300079..a1232f1e9 100644
--- a/includes/file.inc
+++ b/includes/file.inc
@@ -456,6 +456,10 @@ function file_transfer($source, $headers) {
   ob_end_clean();
 
   foreach ($headers as $header) {
+    // To prevent HTTP header injection, we delete new lines that are
+    // not followed by a space or a tab.
+    // See http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2
+    $header = preg_replace('/\r?\n(?!\t| )/', '', $header);
     header($header);
   }
author	Dries Buytaert <dries@buytaert.net>	2005-11-30 15:31:23 +0000
committer	Dries Buytaert <dries@buytaert.net>	2005-11-30 15:31:23 +0000
commit	a74ebcc87a63628f8c4e0ea35a694b8f299c0633 (patch)
tree	02197e34fb608a69537b6f3b2b1790134ab2c598 /includes/file.inc
parent	17ec644763bb46af1a17b858accaaa2ff9fb9693 (diff)
download	brdo-a74ebcc87a63628f8c4e0ea35a694b8f299c0633.tar.gz brdo-a74ebcc87a63628f8c4e0ea35a694b8f299c0633.tar.bz2