php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #80849 HTTP Status header truncation
Submitted: 2021-03-09 18:36 UTC Modified: 2021-07-14 12:52 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: ben dot bidner at automattic dot com Assigned: cmb (profile)
Status: Closed Package: CGI/CLI related
PHP Version: 8.0.3 OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: ben dot bidner at automattic dot com
New email:
PHP Version: OS:

 

 [2021-03-09 18:36 UTC] ben dot bidner at automattic dot com
Description:
------------
`sapi_cgi_send_headers()` (in both `sapi/fpm/fpm/fpm_main.c` and `sapi/cgi/cgi_main.c`) will truncate HTTP Status headers larger than `SAPI_CGI_MAX_HEADER_LENGTH` in the following cases, potentially causing the trailing CR LF to be stripped.

	`len = slprintf(buf, SAPI_CGI_MAX_HEADER_LENGTH, "%s\r\n", SG(sapi_headers).http_status_line);`
	`len = slprintf(buf, sizeof(buf), "Status:%s\r\n", s);`
	`len = slprintf(buf, sizeof(buf), "Status: %d %s\r\n", SG(sapi_headers).http_response_code, err->str);`
	`len = slprintf(buf, sizeof(buf), "Status: %d\r\n", SG(sapi_headers).http_response_code);`

Removing the CR LFs and explicitly sending them after the header is sent (as per other headers in the code below this) should be sufficient to fix?

Test script:
---------------
<?php
header( 'HTTP/1.1 201 ' . str_repeat( 'A', 1011 ), true );
exit;

Actual result:
--------------
The example above will return the following headers

HTTP/1.1 201 AAA...AAAContent-type: text/html; charset=UTF-8
Server: nginx
Date: Tue, 09 Mar 2021 18:06:36 GMT
Connection: keep-alive

Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-03-28 22:35 UTC] avinash dot roshan dot dsilva at gmail dot com
would the following change do the trick?

```
len = slprintf(buf, sizeof(buf)+2, "Status:%s\r\n",s);
```
 [2021-07-14 12:52 UTC] cmb@php.net
-Status: Open +Status: Verified -Package: FPM related +Package: CGI/CLI related -Assigned To: +Assigned To: cmb
 [2021-07-14 12:52 UTC] cmb@php.net
The following pull request has been associated:

Patch Name: Fix #80849: HTTP Status header truncation
On GitHub:  https://github.com/php/php-src/pull/7238
Patch:      https://github.com/php/php-src/pull/7238.patch
 [2021-07-15 17:18 UTC] git@php.net
Automatic comment on behalf of cmb69
Revision: https://github.com/php/php-src/commit/a054ef2aadd52238eb85d2e4c2b2b989e554a705
Log: Fix #80849: HTTP Status header truncation
 [2021-07-15 17:18 UTC] git@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 12:01:29 2024 UTC