php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #81646 header() can violate HTTP RFC
Submitted: 2021-11-21 06:45 UTC Modified: -
Votes:3
Avg. Score:3.3 ± 1.2
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:1 (50.0%)
From: ive_jihwan at kaist dot ac dot kr Assigned:
Status: Open Package: *Network Functions
PHP Version: 8.0.13 OS: any
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: ive_jihwan at kaist dot ac dot kr
New email:
PHP Version: OS:

 

 [2021-11-21 06:45 UTC] ive_jihwan at kaist dot ac dot kr 
Description:
------------
RFC7230, which is released in June 2014, explicitly specifies HTTP-version field as starting with "HTTP" case-sensitively.
https://datatracker.ietf.org/doc/html/rfc7230#section-2.6

However, PHP's header() function compares first 5 bytes with "HTTP/" case insensitively, and copies whole input line to output message line. This let clients misunderstand HTTP version.

https://github.com/php/php-src/blob/master/main/SAPI.c#L755

It can be patched by fixing starting 4 bytes as uppercase "HTTP" or change strncasecmp to strncmp which drops a support standards before RFC7230.

Test script:
---------------
<?php

header("http/1.1 200 OK");


Expected result:
----------------
Either of followings.

- header() throws an warning/error that notices HTTP/1.1 or higher must use uppercase "HTTP"

- Internally convert to uppercase HTTP

Actual result:
--------------
(Raw HTTP response message)
http/1.1 200 OK
Date: Sun, 21 Nov 2021 06:38:10 GMT
Connection: close
X-Powered-By: PHP/8.0.13
Content-type: text/html; charset=UTF-8

(curl in verbose, downgraded HTTP1.0)
> GET /http11.php HTTP/1.1
> Host: localhost:1234
> User-Agent: curl/7.68.0
> Accept: */*
>
* HTTP 1.0, assume close after body
< http/1.1 200 OK
< Host: localhost:1234
< Date: Sun, 21 Nov 2021 06:35:19 GMT
< Connection: close
< X-Powered-By: PHP/8.0.13
< Content-type: text/html; charset=UTF-8

(Chrome)
Translate it as HTTP/1.1

(Safari)
Translate it as HTTP/1.1

(Firefox)
Fail to translate it as valid HTTP

For browser screenshots, here is a link: https://imgur.com/a/PtrmfTA

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2024-07-22 09:00 UTC] wfev98765 at gmail dot com 
This information is really helpful for who really needs this. I hope you will many more write post like this. (https://github.com)(https://www.aarp-mahjongg.com)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 20:01:29 2024 UTC