diff options
author | Dries Buytaert <dries@buytaert.net> | 2005-11-30 15:31:23 +0000 |
---|---|---|
committer | Dries Buytaert <dries@buytaert.net> | 2005-11-30 15:31:23 +0000 |
commit | a74ebcc87a63628f8c4e0ea35a694b8f299c0633 (patch) | |
tree | 02197e34fb608a69537b6f3b2b1790134ab2c598 /includes/file.inc | |
parent | 17ec644763bb46af1a17b858accaaa2ff9fb9693 (diff) | |
download | brdo-a74ebcc87a63628f8c4e0ea35a694b8f299c0633.tar.gz brdo-a74ebcc87a63628f8c4e0ea35a694b8f299c0633.tar.bz2 |
- More fixes
Diffstat (limited to 'includes/file.inc')
-rw-r--r-- | includes/file.inc | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/includes/file.inc b/includes/file.inc index dca300079..a1232f1e9 100644 --- a/includes/file.inc +++ b/includes/file.inc @@ -456,6 +456,10 @@ function file_transfer($source, $headers) { ob_end_clean(); foreach ($headers as $header) { + // To prevent HTTP header injection, we delete new lines that are + // not followed by a space or a tab. + // See http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2 + $header = preg_replace('/\r?\n(?!\t| )/', '', $header); header($header); } |