|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2006-08-07 15:09 UTC] mike@php.net
[2006-08-07 15:17 UTC] chris at mysociety dot org
[2006-08-07 15:39 UTC] mike@php.net
[2006-08-07 18:03 UTC] chris at mysociety dot org
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Wed Feb 05 06:01:32 2025 UTC |
Description: ------------ PHP does not correctly handle calls such as header("Status: ..."). In CGI mode it should process such a call as a changing the HTTP response code (consistent with its handling of, e.g., header("Location: ...")). However, at present there is no special handling of the Status: header. That's why sending Status: and then Location: causes a duplicate header: the Location: header is handled as a special case and causes sapi_update_response_code(302) to be called, whereas the Status: header is just added to the list of headers to be sent back to the web server (see bug #33225 incorrectly marked "bogus", I think because the reviewer doesn't understand CGI). Note that sending two different Status: headers explicitly with header("Status: ...") doesn't give this error, because the default operation is to *replace* the header, not add a new one. Here is a patch to fix the bug in 4.4.3; it also applies to 5.1.4 and probably other versions too: --- php-4.4.3-orig/main/SAPI.c 2006-01-01 13:46:59.000000000 +0000 +++ php-4.4.3/main/SAPI.c 2006-08-07 15:49:15.000000000 +0100 @@ -611,6 +611,14 @@ /* Return a Found Redirect if one is not already specified */ sapi_update_response_code(302 TSRMLS_CC); } + } else if (!STRCASECMP(header_line, "Status")) { + int code; + if (1 == sscanf(colon_offset + 1, "%d", &code) + && code >= 100 && code < 1000) { + /* Also want to suppress this header. */ + sapi_update_response_code(code TSRMLS_CC); + return SUCCESS; + } /* else error? */ } else if (!STRCASECMP(header_line, "WWW-Authenticate")) { /* HTTP Authentication */ sapi_update_response_code(401 TSRMLS_CC); /* authentication-required */ -- I've also put a copy of this at http://bitter.ukcod.org.uk/~chris/tmp/20060807/php-4.4.3-fix-duplicate-Status:.patch in case this form isn't transparent. Reproduce code: --------------- <? header("Status: 404"); header("Location: http://www.google.com/"); ?> Expected result: ---------------- Redirect to http://www.google.com/ Actual result: -------------- Internal server error because PHP sends the Status: header twice, violating the CGI spec.