diff --git a/typo3/sysext/core/Classes/Http/Message.php b/typo3/sysext/core/Classes/Http/Message.php
index 1197228cb3bba378c7f8cbf8b7a0c8630c8cd8e3..c28e2abdb16f778f9558db91042e65c0a28abb18 100644
--- a/typo3/sysext/core/Classes/Http/Message.php
+++ b/typo3/sysext/core/Classes/Http/Message.php
@@ -460,11 +460,8 @@ class Message implements MessageInterface
     {
         $value = (string)$value;
 
-        // Look for:
-        // \n not preceded by \r, OR
-        // \r not followed by \n, OR
-        // \r\n not followed by space or horizontal tab; these are all CRLF attacks
-        if (preg_match("#(?:(?:(?<!\r)\n)|(?:\r(?!\n))|(?:\r\n(?![ \t])))#", $value)) {
+        // Any occurence of \r or \n is invalid
+        if (strpbrk($value, "\r\n") !== false) {
             return false;
         }
 
diff --git a/typo3/sysext/core/Classes/Utility/GeneralUtility.php b/typo3/sysext/core/Classes/Utility/GeneralUtility.php
index 65ebca4ab98d8969c8a055cfefd2a0ecf926fa9a..b1b8b64df848ae43cc9ebeef4d44a1c6795863f9 100755
--- a/typo3/sysext/core/Classes/Utility/GeneralUtility.php
+++ b/typo3/sysext/core/Classes/Utility/GeneralUtility.php
@@ -3146,6 +3146,7 @@ Connection: close
      *
      * @param string $path URL / path to prepend full URL addressing to.
      * @return string
+     * @throws \InvalidArgumentException
      */
     public static function locationHeaderUrl($path)
     {
@@ -3157,6 +3158,10 @@ Connection: close
             // No scheme either
             $path = self::getIndpEnv('TYPO3_REQUEST_DIR') . $path;
         }
+        // Can be removed once minimum PHP requirement is at least 5.5.22 or 5.6.6
+        if (strpbrk($path, "\r\n") !== false) {
+            throw new \InvalidArgumentException('HTTP header injection attempt in "' . $path . '"', 1448194036);
+        }
         return $path;
     }
 
diff --git a/typo3/sysext/core/Tests/Unit/Http/MessageTest.php b/typo3/sysext/core/Tests/Unit/Http/MessageTest.php
index 4d0f2552d6434468b808b95cc333ccdf753d68d2..a0562484aa70c46e9f4a56efe900537c26ba22d2 100644
--- a/typo3/sysext/core/Tests/Unit/Http/MessageTest.php
+++ b/typo3/sysext/core/Tests/Unit/Http/MessageTest.php
@@ -285,6 +285,8 @@ class MessageTest extends \TYPO3\CMS\Core\Tests\UnitTestCase
             'array-value-with-lf'    => ['X-Foo-Bar', ["value\ninjection"]],
             'array-value-with-crlf'  => ['X-Foo-Bar', ["value\r\ninjection"]],
             'array-value-with-2crlf' => ['X-Foo-Bar', ["value\r\n\r\ninjection"]],
+            'multi-line-header-space' => ['X-Foo-Bar', "value\r\n injection"],
+            'multi-line-header-tab' => ['X-Foo-Bar', "value\r\n\tinjection"],
         ];
     }
 
@@ -308,21 +310,4 @@ class MessageTest extends \TYPO3\CMS\Core\Tests\UnitTestCase
         $this->message->withAddedHeader($name, $value);
     }
 
-    /**
-     * @test
-     */
-    public function testWithHeaderAllowsHeaderContinuations()
-    {
-        $message = $this->message->withHeader('X-Foo-Bar', "value,\r\n second value");
-        $this->assertEquals("value,\r\n second value", $message->getHeaderLine('X-Foo-Bar'));
-    }
-
-    /**
-     * @test
-     */
-    public function testWithAddedHeaderAllowsHeaderContinuations()
-    {
-        $message = $this->message->withAddedHeader('X-Foo-Bar', "value,\r\n second value");
-        $this->assertEquals("value,\r\n second value", $message->getHeaderLine('X-Foo-Bar'));
-    }
 }