header() can generate Set-Cookie and P3P headers which contain invalid newlines.
use CGI qw/header/;
print header(
-cookie => [ "foo\nbar\nbaz", ],
-p3p => [ "foo\nbar\nbaz", ],
);
# [STDOUT]
# P3P: policyref="/w3c/p3p.xml", CP="foo
# bar
# baz"
# Set-Cookie: foo
# bar
# baz
# Date: Sat, 10 Nov 2012 03:19:23 GMT
# Content-Type: text/html; charset=ISO-8859-1
#
In this case, values of these headers are array references and so the following substitution doesn't work:
$header =~ s/$CRLF(\s)/$1/g;
(https://github.com/markstos/CGI.pm/blob/master/lib/CGI.pm#L1506)
where $header is an array reference.
Those values should be stringified before CR escaping is done.
PS: My previous request "Investigated how CGI::header() process undef" is closed temporarily because the priority of this request is higher than the previous one. Sorry for the incovenience. I'll reopen the previous one after this issue is closed.