Release v0.2.5 — security fix: HTTP response splitting The uopz header() override didn't reject CRLF/NUL in values, breaking PHP's native protection (in place since 4.4.2). User-controlled input passed to header() / setcookie() / redirect() could smuggle additional response headers, enabling session fixation and cache poisoning. All entry points patched: - header(), Response::header() - Response::redirect() - setcookie(), setrawcookie() Cookie name char-class rules now match PHP native setcookie. 9 new regression tests added. All v0.2.x releases prior to v0.2.5 are affected. Upgrade recommended.