PHP :: Bug #22127 :: bogus http response when force-cgi-redirect safety mechanism triggered

Bug #22127	bogus http response when force-cgi-redirect safety mechanism triggered
Submitted:	2003-02-08 14:46 UTC	Modified:	2004-03-12 08:58 UTC
From:	zlo at canada dot com	Assigned:
Status:	Closed	Package:	CGI/CLI related
PHP Version:	4CVS, 5CVS	OS:	*
Private report:	No	CVE-ID:	None

View Developer Edit

[2003-02-08 14:46 UTC] zlo at canada dot com

When php is used in cgi mode with force-cgi-redirect enabled, and the safety mechanism is triggered, PHP produces a bogus http response line:
HTTP/1.1 0
this is invalid and browsers fail to display the output.
it happens for PHP 4.3.0 and a fresh PHP 4.3.1-dev snapshot under both Windows and Linux.
AFAIK 0 is not a valid response code, and unless one uses a non-compliant browser or accesses the page through a raw telnet session, the warning page cannot be seen.
it would be desirable for PHP to produce a meaningful response code, such as 200, 403 or 500.
for example:

GET /cgi-bin/php/pi.php HTTP/1.1
HOST: mysite

HTTP/1.1 0
Date: Sat, 08 Feb 2003 20:32:46 GMT
Server: Apache/1.3.27 (Unix) PHP/4.3.0
Transfer-Encoding: chunked
Content-Type: text/html; charset=windows-1251

283
<b>Security Alert!</b> The PHP CGI cannot be accessed directly.

<p>This PHP CGI binary was compiled with force-cgi-redirect enabled.  This
means that a page will only be served up if the REDIRECT_STATUS CGI variable is
set, e.g. via an Apache Action directive.</p>
<p>For more information as to <i>why</i> this behaviour exists, see the <a href="http://php.net/security.cgi-bin">manual page for CGI security</a>.</p>
<p>For more information about changing this behaviour or re-enabling this webserver,
consult the installation file that came with this distribution, or visit
<a href="http://php.net/install.windows">the manual page</a>.</p>

0

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-03-30 06:44 UTC] moriyoshi@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php4-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-STABLE-latest.zip

[2003-03-30 15:45 UTC] zlo at canada dot com

using the latest build:
# HEAD http://mysite/cgi-bin/php/pi.php
500 Bad response code: 'HTTP/1.1 0'

[2003-08-08 06:16 UTC] sniper@php.net

Still a problem with both PHP4/PHP5.

[2004-02-28 09:52 UTC] scottmacvicar at ntlworld dot com

403 is probably the most appropriate response code.
Though 400 Bad Request could be another possibility.

http://www.w3.org/Protocols/HTTP/HTRESP.html

patch
-------
diff -u cgi_main.c cgi_main.c.patched
--- cgi_main.c  2004-02-28 14:53:31.000000000 +0000
+++ cgi_main.c.patched  2004-02-28 14:54:16.000000000 +0000
@@ -1106,6 +1106,7 @@
                            in case some server does something different than above */
                        && (!redirect_status_env || !getenv(redirect_status_env))
                        ) {
+                       SG(sapi_headers).http_response_code = 403;
                        PUTS("<b>Security Alert!</b> The PHP CGI cannot be accessed directly.\n\n\
 <p>This PHP CGI binary was compiled with force-cgi-redirect enabled.  This\n\
 means that a page will only be served up if the REDIRECT_STATUS CGI variable is\n\

[2004-03-12 08:58 UTC] iliaa@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Oct 31 13:00:01 2025 UTC