php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77285 Missing REQUEST_METHOD in INPUT_SERVER
Submitted: 2018-12-11 22:44 UTC Modified: 2021-10-27 10:49 UTC
Votes:6
Avg. Score:3.7 ± 0.9
Reproduced:5 of 5 (100.0%)
Same Version:1 (20.0%)
Same OS:0 (0.0%)
From: m49434s at gmail dot com Assigned:
Status: Open Package: Filter related
PHP Version: 7.3.0 OS: FreeBSD
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: m49434s at gmail dot com
New email:
PHP Version: OS:

 

 [2018-12-11 22:44 UTC] m49434s at gmail dot com
Description:
------------
With PHP 7.3.0 input validation using filter_input(INPUT_SERVER,'REQUEST_METHOD',...) is broken because the field 'REQUEST_METHOD' is not mapped. The code is working as expected in 7.2.x and previous releases.

Test script:
---------------
<?php
if(filter_has_var(INPUT_SERVER,'REQUEST_METHOD')):
	echo 'filter_has_var: INPUT_SERVER field REQUEST_METHOD exists',PHP_EOL,PHP_EOL;
else:
	echo 'filter_has_var: INPUT_SERVER field REQUEST_METHOD does not exist',PHP_EOL,PHP_EOL;
	echo '<pre>';
	print_r($_SERVER);
	echo '</pre>';
endif;
?>
<form action="test.php" method="post" id="iform" name="iform">
	<input type="text" id="username" name="username" placeholder="Username" autofocus="autofocus">
	<input type="password" id="password" name="password" placeholder="Password">
	<input type="submit" value="Login">
</form>

Expected result:
----------------
The script should display 'filter_has_var: INPUT_SERVER field REQUEST_METHOD exists' after pressing the login button.

Actual result:
--------------
Script displays 'filter_has_var: INPUT_SERVER field REQUEST_METHOD does not exist' followed by the content of $_SERVER after pressing the login button.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-12-12 13:55 UTC] ma dot zoon at quicknet dot nl
i can confirm proper working on php 7.2.13 and broken on php 7.3.0.
 [2021-10-20 10:24 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2021-10-20 10:24 UTC] cmb@php.net
I cannot reproduce this with PHP-7.4 and the CGI SAPI.  Can
anybody else still reproduce this with any of the actively
supported PHP versions[1]?

[1] <https://www.php.net/supported-versions.php>
 [2021-10-20 14:44 UTC] m49434s at gmail dot com
-Status: Feedback +Status: Assigned
 [2021-10-20 14:44 UTC] m49434s at gmail dot com
filter_has_var is still reporting false for INPUT_SERVER / REQUEST_METHOD in PHP 7.4.19, although $_SERVER has it:

PHP version: 7.4.19
filter_has_var: INPUT_SERVER field REQUEST_METHOD does not exist
Array
(
    [PATH] => /bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
    [PHP_FCGI_CHILDREN] => 2
    [PHP_FCGI_MAX_REQUESTS] => 500
    [PATH_TRANSLATED] => /usr/local/www
    [ORIG_SCRIPT_FILENAME] => /usr/local/www/test.php/
    [SSL_CIPHER_ALGKEYSIZE] => 256
    [SSL_CIPHER_USEKEYSIZE] => 256
    [SSL_CIPHER] => TLS_AES_256_GCM_SHA384
    [SSL_PROTOCOL] => TLSv1.3
    [HTTP_COOKIE] => <removed>
    [HTTP_ACCEPT_LANGUAGE] => en-US,en;q=0.9,de-DE;q=0.8,de;q=0.7,fr;q=0.6
    [HTTP_ACCEPT_ENCODING] => gzip, deflate, br
    [HTTP_REFERER] => https://192.168.0.44/test.php
    [HTTP_SEC_FETCH_DEST] => document
    [HTTP_SEC_FETCH_USER] => ?1
    [HTTP_SEC_FETCH_MODE] => navigate
    [HTTP_SEC_FETCH_SITE] => same-origin
    [HTTP_ACCEPT] => text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    [HTTP_USER_AGENT] => Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
    [CONTENT_TYPE] => application/x-www-form-urlencoded
    [HTTP_DNT] => 1
    [HTTP_UPGRADE_INSECURE_REQUESTS] => 1
    [HTTP_ORIGIN] => https://192.168.0.44
    [HTTP_SEC_CH_UA_PLATFORM] => "Linux"
    [HTTP_SEC_CH_UA_MOBILE] => ?0
    [HTTP_SEC_CH_UA] => "Google Chrome";v="95", "Chromium";v="95", ";Not A Brand";v="99"
    [HTTP_CACHE_CONTROL] => max-age=0
    [HTTP_CONTENT_LENGTH] => 19
    [HTTP_HOST] => 192.168.0.44
    [REMOTE_PORT] => 55474
    [REMOTE_ADDR] => 192.168.0.65
    [SERVER_NAME] => 192.168.0.44
    [SERVER_ADDR] => 192.168.0.44
    [SERVER_PORT] => 443
    [HTTPS] => on
    [REQUEST_SCHEME] => https
    [GATEWAY_INTERFACE] => CGI/1.1
    [SERVER_SOFTWARE] => WebGUI
    [SERVER_PROTOCOL] => HTTP/2.0
    [REQUEST_METHOD] => POST
    [DOCUMENT_ROOT] => /usr/local/www
    [SCRIPT_FILENAME] => /usr/local/www/test.php
    [SCRIPT_NAME] => /test.php
    [REDIRECT_STATUS] => 200
    [REQUEST_URI] => /test.php
    [QUERY_STRING] => 
    [CONTENT_LENGTH] => 19
    [FCGI_ROLE] => RESPONDER
    [PHP_SELF] => /test.php
    [REQUEST_TIME_FLOAT] => 1634740929.8279
    [REQUEST_TIME] => 1634740929
)
 [2021-10-20 14:59 UTC] cmb@php.net
Thanks for checking and the swift reply!

Are you using FCGI or FPM specifically?
 [2021-10-20 19:24 UTC] m49434s at gmail dot com
Many thanks for looking into this.

Yes, lighttpd 1.4.59 with mod_fastcgi is used
 [2021-10-27 10:49 UTC] cmb@php.net
-Status: Assigned +Status: Open -Assigned To: cmb +Assigned To:
 [2021-10-27 10:49 UTC] cmb@php.net
I tried again with PHP 7.4.19 and IIS (so same SAPI), but still
cannot reproduce that filter_input() call failing, regardless of
the setting of auto_globals_jit.  I have no idea why it fails for
you.  Sorry!
 [2022-08-05 09:28 UTC] daaxlxgaxvzfhjcpnz at nthrw dot com
The problem affects Apache + fcgid + php-cgi 8.1.9 too.

It't caused by auto_globals_jit enabled . When disabled, filter_input(INPUT_SERVER) works correctly.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Dec 04 08:01:29 2024 UTC