The headers without colon are currently returned without in $http_response_header. It means that something like:
printf "HTTP/1.0 200 Ok\r\nContent-Type: text/html\r\nWrong-Header\r\nGood-Header: test\r\n\r\nbody\r\n" |nc -l 0.0.0.0 8000
results in following $http_response_header
array(4) {
[0]=>
string(15) "HTTP/1.0 200 Ok"
[1]=>
string(23) "Content-Type: text/html"
[2]=>
string(12) "Wrong-Header"
[3]=>
string(17) "Good-Header: test"
}
In addition headers that contain a space in header name (before the colon) will also not fail which is not allowed by RFC.
Impact
This can allow issues in the application when parsing the array - e.g. application could consider it as a valid header or as a continuation of the previous one (currently folding header are misbehaving so there could be some logic for that in the application that could result in a security issue). So some sort of request smuggling could be possible in this case
Workarounds
Users can add a special handling of $http_response_header. No notification is triggered for this sort of header so no extra handling there is needed.
The headers without colon are currently returned without in
$http_response_header. It means that something like:results in following
$http_response_headerIn addition headers that contain a space in header name (before the colon) will also not fail which is not allowed by RFC.
Impact
This can allow issues in the application when parsing the array - e.g. application could consider it as a valid header or as a continuation of the previous one (currently folding header are misbehaving so there could be some logic for that in the application that could result in a security issue). So some sort of request smuggling could be possible in this case
Workarounds
Users can add a special handling of
$http_response_header. No notification is triggered for this sort of header so no extra handling there is needed.