php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #64433 follow_location parameter of context is ignored for most response codes
Submitted: 2013-03-15 16:41 UTC Modified: 2013-03-31 03:07 UTC
From: akbarovs at gmail dot com Assigned:
Status: Closed Package: Streams related
PHP Version: 5.4.13 OS: Any
Private report: No CVE-ID: None
 [2013-03-15 16:41 UTC] akbarovs at gmail dot com
Description:
------------
Affected PHP versions: 5.4.12, 5.4.13, Git

The problem is that in new releases PHP ignores 'follow_location' context 
parameters for the response codes not in (300, 301, 302, 303 and 307). Problem 
is related to bugfix for bug #62524. Response codes should not be checked in the 
same condition where we check 'follow_location' parameter. And when we do that 
'follow_location' is always 1 for most response codes (ex.: 201): so we always 
redirect to the 'Location' and it cannot be changed using 'follow_location'=>0

You can see curl log for the sample resource where we combine 201 response code 
with 'Location' header: https://gist.github.com/akbarovs/5171115
For the test script I expect following response:
{"success": "ok"}

But when I execute it I get: {"documentId": 15} regardless to the 
follow_location parameter. I can remove it from the context parameter but I will 
continue receive wrong response.

I've attached patch for this issue. If 'follow_location' is not specified we do 
redirect for 3xx response codes. Otherwise we do not follow redirect. If 
'follow_location' is specified -> we do/do not follow redirects without checking 
response codes (if somebody really want to be redirected why we shouldn't allow 
to do it?)

BTW, I can send pull request via github if needed

Test script:
---------------
<?php
$requestXML = '';
$arr = array('http'=>
                        array(
                                'method'=>'POST',	
                                'follow_location'=>0,	
                                'content' => $requestXML

                        )
                );
$context = stream_context_create($arr);
$f = fopen('http://localhost:8000', 'r', FALSE, $context);

echo stream_get_contents($f);
?>


Expected result:
----------------
Expected result:
{"success": "ok"}


Actual result:
--------------
Redirected to localhost:8000?q=1 and got {"documentId": 15}

Patches

hyper-zon-a (last revision 2013-05-20 18:13 UTC by herman dot laubscher at gmail dot com)
fopen_follow_location (last revision 2013-03-15 16:41 UTC by akbarovs at gmail dot com)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-03-15 17:04 UTC] akbarovs at gmail dot com
I've attached pull request for this issue:
https://github.com/php/php-src/pull/303
 [2013-03-31 03:07 UTC] stas@php.net
-Status: Open +Status: Feedback
 [2013-03-31 03:07 UTC] stas@php.net
Please explain the use case for such change - why we should be following 
redirects when no redirect actually exists, as given by the response.
 [2013-03-31 04:26 UTC] stas@php.net
Automatic comment on behalf of sergey@terranova.(none)
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1d4fcdff9f8a5b183cd99295f330bb92dbcf1105
Log: Fix bug #64433: does not follow redirects for non-3xx response codes
 [2013-03-31 04:26 UTC] stas@php.net
-Status: Feedback +Status: Closed
 [2014-10-07 23:19 UTC] stas@php.net
Automatic comment on behalf of sergey@terranova.(none)
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=1d4fcdff9f8a5b183cd99295f330bb92dbcf1105
Log: Fix bug #64433: does not follow redirects for non-3xx response codes
 [2014-10-07 23:30 UTC] stas@php.net
Automatic comment on behalf of sergey@terranova.(none)
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=1d4fcdff9f8a5b183cd99295f330bb92dbcf1105
Log: Fix bug #64433: does not follow redirects for non-3xx response codes
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 09:01:32 2024 UTC