summaryrefslogtreecommitdiff
path: root/includes
diff options
context:
space:
mode:
Diffstat (limited to 'includes')
-rw-r--r--includes/file.inc4
1 files changed, 4 insertions, 0 deletions
diff --git a/includes/file.inc b/includes/file.inc
index dca300079..a1232f1e9 100644
--- a/includes/file.inc
+++ b/includes/file.inc
@@ -456,6 +456,10 @@ function file_transfer($source, $headers) {
ob_end_clean();
foreach ($headers as $header) {
+ // To prevent HTTP header injection, we delete new lines that are
+ // not followed by a space or a tab.
+ // See http://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2
+ $header = preg_replace('/\r?\n(?!\t| )/', '', $header);
header($header);
}
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-24 09:16:12 +0000