php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #45947 Apache env variables changed by PHP IN Apache
Submitted: 2008-08-29 13:37 UTC Modified: 2008-08-30 16:45 UTC
From: regis dot leroy at makina-corpus dot com Assigned:
Status: Closed Package: Apache2 related
PHP Version: 5.2.6 OS: Linux Debian
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: regis dot leroy at makina-corpus dot com
New email:
PHP Version: OS:

 

 [2008-08-29 13:37 UTC] regis dot leroy at makina-corpus dot com 
Description:
------------
reopening Bug #39927 and Bug #13961 which seems to have been marked Bogus because of a Bogus reviewer.
Apache Env set by, for example:
 BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0

Is treaten in PHP to become downgrade-1_0 with an "_". that's OK, its' for security reasons.
But it is changed in Apache, and so Apache will not modify the response to make his 'forced downgrade to HTTP/1.0'.
That's REALLY BAAAD.
This breaks Apache mechanism to handle bad browser which do not understand well HTTP/1.1 (with chunked responses on bad Java soap parses for exemple).


I reedit the bug to give a workaround for people interested:
in PHP write such things:
"""
if ($_SERVER['downgrade-1_0']){
        apache_setenv('downgrade-1.0','true');
}
"""
Beware of safe mode allowed env vars if you're in safe mode.

Now you have to right behaviour $_SERVER contains only strings without dots but Apache have the right env to behave well.

Shame on PHP....

Reproduce code:
---------------
see previous bugs

Expected result:
----------------
response in HTTP/1.0

Actual result:
--------------
response in HTTP/1.1

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-08-30 16:45 UTC] rasmus@php.net 
I don't think this one is bogus.  Ilia was wrong in 13961.  Only the value is copied, not the key there.  And in 39927 I replied to the last commenter who seemed to want to disable the . -> _ munging when register_globals is off, but missed the original point of the code modifying the passed in key.  We dropped the ball multiple times on this one.

I'll commit a fix in a bit.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Dec 21 17:01:58 2024 UTC