<?php
setcookie('test', "test\r\n<script>alert(1)</script>");
echo 1;
但事实证明 PHP 会自动进行编码:
Set-Cookie: test=test%0D%0A%3Cscript%3Ealert%281%29%3C%2Fscript%3E
这是否意味着不可能重现 HTTP response splitting在 PHP 中?
最佳答案
来自linked维基百科文章:
[...] Although response splitting is not specific to PHP, the PHP interpreter contains protection against the attack since version 4.4.2 and 5.1.2. [1]
关于php - PHP 是否不受 "HTTP Response Splitting"漏洞的影响?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/6287713/