PHP :: Bug #77285 :: Missing REQUEST_METHOD in INPUT

Bug #77285

Missing REQUEST_METHOD in INPUT_SERVER

Submitted:

2018-12-11 22:44 UTC

Modified:

2021-10-27 10:49 UTC

Votes:	6
Avg. Score:	3.7 ± 0.9
Reproduced:	5 of 5 (100.0%)
Same Version:	1 (20.0%)
Same OS:	0 (0.0%)

From:

m49434s at gmail dot com

Assigned:

Status:

Open

Package:

Filter related

PHP Version:

7.3.0

OS:

FreeBSD

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	m49434s at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2018-12-11 22:44 UTC] m49434s at gmail dot com

Description:
------------
With PHP 7.3.0 input validation using filter_input(INPUT_SERVER,'REQUEST_METHOD',...) is broken because the field 'REQUEST_METHOD' is not mapped. The code is working as expected in 7.2.x and previous releases.

Test script:
---------------
<?php
if(filter_has_var(INPUT_SERVER,'REQUEST_METHOD')):
	echo 'filter_has_var: INPUT_SERVER field REQUEST_METHOD exists',PHP_EOL,PHP_EOL;
else:
	echo 'filter_has_var: INPUT_SERVER field REQUEST_METHOD does not exist',PHP_EOL,PHP_EOL;
	echo '<pre>';
	print_r($_SERVER);
	echo '</pre>';
endif;
?>
<form action="test.php" method="post" id="iform" name="iform">
	<input type="text" id="username" name="username" placeholder="Username" autofocus="autofocus">
	<input type="password" id="password" name="password" placeholder="Password">
	<input type="submit" value="Login">
</form>

Expected result:
----------------
The script should display 'filter_has_var: INPUT_SERVER field REQUEST_METHOD exists' after pressing the login button.

Actual result:
--------------
Script displays 'filter_has_var: INPUT_SERVER field REQUEST_METHOD does not exist' followed by the content of $_SERVER after pressing the login button.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2018-12-12 13:55 UTC] ma dot zoon at quicknet dot nl

i can confirm proper working on php 7.2.13 and broken on php 7.3.0.

[2021-10-20 10:24 UTC] cmb@php.net

-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb

[2021-10-20 10:24 UTC] cmb@php.net

I cannot reproduce this with PHP-7.4 and the CGI SAPI.  Can
anybody else still reproduce this with any of the actively
supported PHP versions[1]?

[1] <https://www.php.net/supported-versions.php>

[2021-10-20 14:44 UTC] m49434s at gmail dot com

-Status: Feedback +Status: Assigned

[2021-10-20 14:44 UTC] m49434s at gmail dot com

filter_has_var is still reporting false for INPUT_SERVER / REQUEST_METHOD in PHP 7.4.19, although $_SERVER has it:

PHP version: 7.4.19
filter_has_var: INPUT_SERVER field REQUEST_METHOD does not exist
Array
(
    [PATH] => /bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
    [PHP_FCGI_CHILDREN] => 2
    [PHP_FCGI_MAX_REQUESTS] => 500
    [PATH_TRANSLATED] => /usr/local/www
    [ORIG_SCRIPT_FILENAME] => /usr/local/www/test.php/
    [SSL_CIPHER_ALGKEYSIZE] => 256
    [SSL_CIPHER_USEKEYSIZE] => 256
    [SSL_CIPHER] => TLS_AES_256_GCM_SHA384
    [SSL_PROTOCOL] => TLSv1.3
    [HTTP_COOKIE] => <removed>
    [HTTP_ACCEPT_LANGUAGE] => en-US,en;q=0.9,de-DE;q=0.8,de;q=0.7,fr;q=0.6
    [HTTP_ACCEPT_ENCODING] => gzip, deflate, br
    [HTTP_REFERER] => https://192.168.0.44/test.php
    [HTTP_SEC_FETCH_DEST] => document
    [HTTP_SEC_FETCH_USER] => ?1
    [HTTP_SEC_FETCH_MODE] => navigate
    [HTTP_SEC_FETCH_SITE] => same-origin
    [HTTP_ACCEPT] => text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    [HTTP_USER_AGENT] => Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36
    [CONTENT_TYPE] => application/x-www-form-urlencoded
    [HTTP_DNT] => 1
    [HTTP_UPGRADE_INSECURE_REQUESTS] => 1
    [HTTP_ORIGIN] => https://192.168.0.44
    [HTTP_SEC_CH_UA_PLATFORM] => "Linux"
    [HTTP_SEC_CH_UA_MOBILE] => ?0
    [HTTP_SEC_CH_UA] => "Google Chrome";v="95", "Chromium";v="95", ";Not A Brand";v="99"
    [HTTP_CACHE_CONTROL] => max-age=0
    [HTTP_CONTENT_LENGTH] => 19
    [HTTP_HOST] => 192.168.0.44
    [REMOTE_PORT] => 55474
    [REMOTE_ADDR] => 192.168.0.65
    [SERVER_NAME] => 192.168.0.44
    [SERVER_ADDR] => 192.168.0.44
    [SERVER_PORT] => 443
    [HTTPS] => on
    [REQUEST_SCHEME] => https
    [GATEWAY_INTERFACE] => CGI/1.1
    [SERVER_SOFTWARE] => WebGUI
    [SERVER_PROTOCOL] => HTTP/2.0
    [REQUEST_METHOD] => POST
    [DOCUMENT_ROOT] => /usr/local/www
    [SCRIPT_FILENAME] => /usr/local/www/test.php
    [SCRIPT_NAME] => /test.php
    [REDIRECT_STATUS] => 200
    [REQUEST_URI] => /test.php
    [QUERY_STRING] => 
    [CONTENT_LENGTH] => 19
    [FCGI_ROLE] => RESPONDER
    [PHP_SELF] => /test.php
    [REQUEST_TIME_FLOAT] => 1634740929.8279
    [REQUEST_TIME] => 1634740929
)

[2021-10-20 14:59 UTC] cmb@php.net

Thanks for checking and the swift reply!

Are you using FCGI or FPM specifically?

[2021-10-20 19:24 UTC] m49434s at gmail dot com

Many thanks for looking into this.

Yes, lighttpd 1.4.59 with mod_fastcgi is used

[2021-10-27 10:49 UTC] cmb@php.net

-Status: Assigned +Status: Open -Assigned To: cmb +Assigned To:

[2021-10-27 10:49 UTC] cmb@php.net

I tried again with PHP 7.4.19 and IIS (so same SAPI), but still
cannot reproduce that filter_input() call failing, regardless of
the setting of auto_globals_jit.  I have no idea why it fails for
you.  Sorry!

[2022-08-05 09:28 UTC] daaxlxgaxvzfhjcpnz at nthrw dot com

The problem affects Apache + fcgid + php-cgi 8.1.9 too.

It't caused by auto_globals_jit enabled . When disabled, filter_input(INPUT_SERVER) works correctly.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Wed Dec 04 18:01:31 2024 UTC