PHP :: Doc Bug #32218 :: HTTP status 200 returned on HTTP CONNECT

Doc Bug #32218	HTTP status 200 returned on HTTP CONNECT
Submitted:	2005-03-07 13:53 UTC	Modified:	2005-03-08 14:50 UTC
From:	mcihar at suse dot cz	Assigned:
Status:	Closed	Package:	Documentation problem
PHP Version:	5.0.3	OS:
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	mcihar at suse dot cz
New email:
PHP Version:		OS:

New Comment:

[2005-03-07 13:53 UTC] mcihar at suse dot cz

Description:
------------
This is basically same as bug #19113, but I didn't find way to add comment there and I do no thing it is bogus.

Problem is that mod_php (and mod_perl as well) don't care about request type at all, and handle all same way. If this is really intended behaviour, it should be documented.

I feel it is a bug, solution migth be to add method check to php_handler. It might look like:

if (r->method_number != M_GET && r->method_number != M_POST) {
    return DECLINED;
}

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-03-07 20:08 UTC] sniper@php.net

Let's document it.

[2005-03-08 09:44 UTC] vrana@php.net

What's the problem here? Your PHP script can handle any type of request method and you can check for the method in variable $_SERVER["REQUEST_METHOD"] which is documented at http://www.php.net/manual/en/reserved.variables.php . You can send the status code yourself with header().

[2005-03-08 10:31 UTC] dave@php.net

It can handle any type of request Vrana, but is that fact documented anywhere? If it isn't, it should be. Most people wouldn't expect that methods other than GET or POST could be used to access their script, and this should probably be noted.

Ideally, the best solution would be to stop these unwanted request methods even getting to PHP in the first place. This could be done in Apache like this:

<LimitExcept GET POST>
Deny from all
</LimitExcept>

[2005-03-08 14:50 UTC] vrana@php.net

This bug has been fixed in the documentation's XML sources. Since the
online and downloadable versions of the documentation need some time
to get updated, we would like to ask you to be a bit patient.

Thank you for the report, and for helping us make our documentation better.

New FAQ entry:

"Is PHP limited to process GET and POST request methods only?

No, it is possible to handle any request method, e.g. CONNECT. Proper response status can be sent with header(). If only GET and POST methods should be handled, it can be achieved with this Apache configuration:

<LimitExcept GET POST>
Deny from all
</LimitExcept>
"

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun May 25 07:01:27 2025 UTC