php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #74535 please warn users when implicit Location: HTTP status override triggers
Submitted: 2017-05-03 13:27 UTC Modified: -
Votes:4
Avg. Score:3.5 ± 0.9
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:0 (0.0%)
From: joy+php at entuzijast dot net Assigned:
Status: Open Package: HTTP related
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: joy+php at entuzijast dot net
New email:
PHP Version: OS:

 

 [2017-05-03 13:27 UTC] joy+php at entuzijast dot net
Description:
------------
Hi,

An aspect of this bug was previously reported at https://bugs.php.net/bug.php?id=70273

When you run:

header("HTTP/1.1 202 Accepted");
header("Location: whatever");

...this second header will invoke the function which will replace the user-defined status code (202 in this example) with a 302. This is fine, as it is conformant to RFC 2616, but there should really be a warning emitted in the logs to tell the user that their input was explicitly ignored. For example, say "PHP Warning: Location header incompatible with HTTP/1.1 202 Accepted, falling back to HTTP/1.1 302 Found"

TIA.



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-05-03 19:09 UTC] remy at lebeausoftware dot org
Replacing a previously established status code with 302 is NOT conformant to RFC 2616.  Nowhere does that RFC say that the 'Location' header can't be used in status codes other than 201 and 3xx.  It would make sense for header() to *default* the 'Location' header to 302 if a status code has not been assigned yet, but it certainly should not overwrite an existing status code, or at least should only overwrite 200.  The 'Location' header is treated as a redirect only in 201 and 3xx, but it can be used by other status codes for other purposes besides redirects.
 [2017-05-03 19:13 UTC] remy at lebeausoftware dot org
"The 'Location' header is treated as a redirect only in 201 and 3xx".  Sorry, I meant 3xx only (not including 304, BTW).  In fact, case in point, 201 defines 'Location; for non-redirect purposes (the new URL of the created resource).  So can other status codes as desired.  'Location' can have semantic meaning in 202 (a status monitor URL for the pending operation), for instance.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Dec 22 07:01:30 2024 UTC