PHP :: Bug #40761 :: header() is wrongly handled, thus causing problems for browsers

Bug #40761	header() is wrongly handled, thus causing problems for browsers
Submitted:	2007-03-08 20:43 UTC	Modified:	2007-03-09 14:30 UTC
From:	c dot kirschnick at gmx dot net	Assigned:	mike (profile)
Status:	Not a bug	Package:	CGI/CLI related
PHP Version:	4.4.5	OS:	*
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	c dot kirschnick at gmx dot net
New email:
PHP Version:		OS:

New Comment:

[2007-03-08 20:43 UTC] c dot kirschnick at gmx dot net

Description:
------------
This bug was sent in before, but marked wrong "bogus"/"won't fix". (See Bug #38369). 

PHP does not correctly handle calls such as header("Status: ..."). In
CGI mode it should process such a call as a changing the HTTP response
code (consistent with its handling of, e.g., header("Location: ...")).
However, at present there is no special handling of the Status: header.
That's why sending Status: and then Location: causes a duplicate header:
the Location: header is handled as a special case and causes
sapi_update_response_code(302) to be called, whereas the Status: header
is just added to the list of headers to be sent back to the web server
(see bug #33225 incorrectly marked "bogus", I think because the reviewer
doesn't understand CGI). Note that sending two different Status: headers
explicitly with header("Status: ...") doesn't give this error, because
the default operation is to *replace* the header, not add a new one.

Since PHP should conform to the CGI-norm, this bug should be fixed. Although the IE does not fully stick to this norm, the FF does - which  ignores duplicated headers, resulting in different behaviour of both.

Reproduce code:
---------------
<?
header("HTTP/1.1 403 Forbidden");
?>

Expected result:
----------------
An error message created by the browser

Actual result:
--------------
IE: correct 403
FF: blank page (no output)


The headers:
HTTP/1.1 200 OK
HTTP/1.1 403 Forbidden

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-03-09 11:14 UTC] mike@php.net

Please tell me your server software and your configure line.

Cannot reproduce with 4.4.3 and 4.4-CVS:
mike@honeybadger:~/build/php-4.4-cgi-http$ cgi <<<'<?php header("HTTP/1.1 403 Forbidden");'
Status: 403
X-Powered-By: PHP/4.4.7-dev
Content-type: text/html


As you write

HTTP/1.1 200 OK
HTTP/1.1 403 Forbidden

as seen result, I think your server software exhibits this bug.

[2007-03-09 14:24 UTC] c dot kirschnick at gmx dot net

Hum, tried it again and again - came to the conclusion that it was a browser issue.

Sorry, and keep up the good work.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Nov 01 01:01:28 2024 UTC