php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #80849 HTTP Status header truncation
Submitted: 2021-03-09 18:36 UTC Modified: 2021-07-14 12:52 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: ben dot bidner at automattic dot com Assigned: cmb (profile)
Status: Closed Package: CGI/CLI related
PHP Version: 8.0.3 OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: ben dot bidner at automattic dot com
New email:
PHP Version: OS:

 

 [2021-03-09 18:36 UTC] ben dot bidner at automattic dot com 
Description:
------------
`sapi_cgi_send_headers()` (in both `sapi/fpm/fpm/fpm_main.c` and `sapi/cgi/cgi_main.c`) will truncate HTTP Status headers larger than `SAPI_CGI_MAX_HEADER_LENGTH` in the following cases, potentially causing the trailing CR LF to be stripped.

	`len = slprintf(buf, SAPI_CGI_MAX_HEADER_LENGTH, "%s\r\n", SG(sapi_headers).http_status_line);`
	`len = slprintf(buf, sizeof(buf), "Status:%s\r\n", s);`
	`len = slprintf(buf, sizeof(buf), "Status: %d %s\r\n", SG(sapi_headers).http_response_code, err->str);`
	`len = slprintf(buf, sizeof(buf), "Status: %d\r\n", SG(sapi_headers).http_response_code);`

Removing the CR LFs and explicitly sending them after the header is sent (as per other headers in the code below this) should be sufficient to fix?

Test script:
---------------
<?php
header( 'HTTP/1.1 201 ' . str_repeat( 'A', 1011 ), true );
exit;

Actual result:
--------------
The example above will return the following headers

HTTP/1.1 201 AAA...AAAContent-type: text/html; charset=UTF-8
Server: nginx
Date: Tue, 09 Mar 2021 18:06:36 GMT
Connection: keep-alive

Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-03-28 22:35 UTC] avinash dot roshan dot dsilva at gmail dot com 
would the following change do the trick?

```
len = slprintf(buf, sizeof(buf)+2, "Status:%s\r\n",s);
```
 [2021-07-14 12:52 UTC] cmb@php.net
-Status: Open +Status: Verified -Package: FPM related +Package: CGI/CLI related -Assigned To: +Assigned To: cmb
 [2021-07-14 12:52 UTC] cmb@php.net 
The following pull request has been associated:

Patch Name: Fix #80849: HTTP Status header truncation
On GitHub:  https://github.com/php/php-src/pull/7238
Patch:      https://github.com/php/php-src/pull/7238.patch
 [2021-07-15 17:18 UTC] git@php.net 
Automatic comment on behalf of cmb69
Revision: https://github.com/php/php-src/commit/a054ef2aadd52238eb85d2e4c2b2b989e554a705
Log: Fix #80849: HTTP Status header truncation
 [2021-07-15 17:18 UTC] git@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 12:01:29 2024 UTC