- From: Adrian Chadd <adrian@creative.net.au>
- Date: Thu, 23 Jul 2009 10:16:16 +0800
- To: Adrien de Croy <adrien@qbik.com>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
On Thu, Jul 23, 2009, Adrien de Croy wrote: > PHP Warning: PHP Startup: sdo: Unable to initialize module > Module compiled with module API=20060613, debug=0, thread-safety=1 > PHP compiled with module API=20050922, debug=0, thread-safety=1 > These options need to match > in Unknown on line 0 Hah nice! > Normally this wouldn't be particularly interesting - just another broken > site. However all the browsers I tested swallowed this without > complaining and displayed the body. I tested IE8, Chrome, FF3.5 and > Opera 9.6.4. Each of the lines in the response was terminated by CRLF > (not bare LF), so I'm struggling to see how anyone can interpret the PHP > warning as anything resembling a valid header (even wrapped, since no > leading WS). > > Isn't this a potentially serious security problem? > > It's hard to be the only proxy that decides to demonstrate how broken > this site is - customers don't understand.... I've been seeing other random non-header stuff in HTTP reply headers. Squid also complains and iirc drop the request as invalid by default. HTTP/1.1 200 OK Content-Type: image/jpeg Vary: Accept-Encoding Accept_170C_49EDDAC0 expires: Thu, 15 Apr 2011 20:00:00 GMT Content-Length: 5900 Date: Mon, 13 Jul 2009 08:17:12 GMT Connection: close age: 0 X-Cache: HIT I'd love to know what generates that. Adrian
Received on Thursday, 23 July 2009 02:16:57 UTC