PHP :: Bug #77953 :: Headers are case-sensitive to $

Bug #77953

Headers are case-sensitive to $_SERVER

Submitted:

2019-04-29 13:31 UTC

Modified:

2019-04-29 14:57 UTC

Votes:	7
Avg. Score:	4.1 ± 1.5
Reproduced:	6 of 6 (100.0%)
Same Version:	3 (50.0%)
Same OS:	3 (50.0%)

From:

roger at tecnofit dot com dot br

Assigned:

Status:

Open

Package:

Apache2 related

PHP Version:

7.2.17

OS:

Linux

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	roger at tecnofit dot com dot br
New email:
PHP Version:		OS:

New Comment:

[2019-04-29 13:31 UTC] roger at tecnofit dot com dot br

Description:
------------
HTTP headers don't show up in $_SERVER if their case isn't capitalised.

Send the `Authorization` header to a script:
$_SERVER['HTTP_AUTHORIZATION'] will have your string.
Send the `authorization` (lowercase A) header to a script:
$_SERVER['HTTP_AUTHORIZATION'] will be null.

Some libs (flutter) and langs (dart) force lowercase headers relying on the RFC that states HTTP Headers are case-insentive, and marked the issue as "won't fix" using the RFC argument. This caused some clients to be locked out of our PHP APIs for now.

Patches

Pull Requests

Pull requests:

protect master branches except for the pecl repos against force pushes (karma/4)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2019-04-29 14:38 UTC] spam2 at rhsoft dot net

that's likely because it's how arrays are working by definition and there is no magic making superglobals behave different

php > $x=['a'=>1, 'A'=>2]; print_r($x);
Array
(
    [a] => 1
    [A] => 2
)

does the header not show up at all or is your code naive and only checks for HTTP_AUTHORIZATION in uppercase form?

additionally headers in HTTP2 are lowercase by definition as you can see below and i doubt that only applies to response-headers (that's a proxy and "x-response-time" from the backend for sure comes as "X-Response-Time"

HTTP/2 200
date: Mon, 29 Apr 2019 14:33:56 GMT
strict-transport-security: max-age=31536000
content-security-policy: script-src 'self' 'unsafe-inline' 'unsafe-eval';
x-frame-options: SAMEORIGIN
etag: 68fefde8d07528f48429f3f96ca70680
cache-control: private
last-modified: Mon, 28 Nov 2016 16:55:29 GMT
vary: Accept-Encoding,User-Agent
x-content-type-options: nosniff
x-response-time: D=5403 us
content-type: text/html; charset=ISO-8859-1
age: 0

[2019-04-29 14:57 UTC] nikic@php.net

Which SAPI are you using? Are PHP_AUTH_USER and PHP_AUTH_PW set?

[2019-04-29 18:37 UTC] roger at tecnofit dot com dot br

The code checks for $_SERVER['HTTP_AUTHORIZATION'] only, but it makes no sense for me to check for $_SERVER['HTTP_aUTHORIZATION'] seeing as the only letter that has changed is `A`, all http headers come in all uppercase when recognized and prefixed with `HTTP_` in the $_SERVER var, so I don't think it's script problem.

[2019-12-14 04:55 UTC] braxtonreed420 at hotmail dot com

The following pull request has been associated:

Patch Name: protect master branches except for the pecl repos against force pushes
On GitHub:  https://github.com/php/karma/pull/4
Patch:      https://github.com/php/karma/pull/4.patch

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 19:01:29 2024 UTC