Solar_Http_Response uses Solar_Mime::headerValue() to sanitize header values. This will completely break headers for example if you put other than ASCII chars to the headers.
I found this bug when setting a header "Location" where the href had the letter "รค" in it. The reason there actually ended up being a non-ascii char was that Solar_Uri::_pathEncode() doesn't urlencode() path_info elements. Now, I don't know why it doesn't do that and it seems to me that it could do it, in which case Solar_Mime::headerValue() wouldn't have scrambled the header (and I would have not found this bug). I'm sure there is a reason for not using urlencode() there. Nevertheless, I think that Solar_http_response should not use headerValue() 'cause it seems to exist only for mail headers.
I don't know how we should sanitize HTTP headers. Maybe strip newlines and trim?? Sanitizing mail header values seems more important to me than sanitizing HTTP header values. Here's a trivial patch that just doesn't use Solar_Mime at all.
diff --git a/Solar/Http/Response.php b/Solar/Http/Response.php
index fe3f1c0..84a2646 100644
--- a/Solar/Http/Response.php
+++ b/Solar/Http/Response.php
@@ -472,9 +472,7 @@ class Solar_Http_Response extends Solar_Base {
// set each value for the header
foreach ((array) $list as $val) {
- // sanitize and set
- $line = Solar_Mime::headerLine($key, $val);
- header($line);
+ header("$key: $val");
}
}
