php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #15693 HTTP HEAD request executes entire script
Submitted: 2002-02-23 18:52 UTC Modified: 2002-02-24 03:57 UTC
From: patrick at ginx dot com Assigned:
Status: Not a bug Package: HTTP related
PHP Version: 4.1.1 OS: FreeBSD 4.5
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: patrick at ginx dot com
New email:
PHP Version: OS:

 

 [2002-02-23 18:52 UTC] patrick at ginx dot com
Maybe this is the way it's supposed to work, but it doesn't make a whole lot of sense to me.

When processing a HEAD request, mod_php executes the script as if it were a normal GET request. This is unexpected (at least to me) and can lead to unexpected results, such as duplicate execution when dealing with browsers that use a HEAD request prior to a GET request.

For example, test script test.php:
<?php
$fp = fopen("test.out", "a");
fputs($fp, "I'm hit!");
fclose($fp);
?>

and assuming test.out exists and is world-writable.

HEAD /test.php HTTP/1.0

causes the file test.out to be appended to.

This is not what I would expect, but maybe it's unavoidable. A workaround is to look at $_SERVER['REQUEST_METHOD'] and do nothing if it's a HEAD request.


 './configure' '--with-apxs=/usr/local/sbin/apxs' '--with-config-file-path=/usr/local/etc' '--enable-versioning' '--with-system-regex' '--disable-debug' '--enable-track-vars' '--without-gd' '--without-mysql' '--with-zlib' '--with-mcrypt=/usr/local' '--with-mysql=/usr/local' '--prefix=/usr/local' 'i386--freebsd4.5'




Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-02-24 03:57 UTC] sander@php.net
A client using HEAD tries to figure out wich HTTP-headers it will receive if it will send GET. Those headers can be generated by your script, so the only way to get those headers is executing your script.

If you don't want that, use $_SERVER['REQUEST_METHOD'] or $REQUEST_METHOD to check whether this is a HEAD, GET or POST request.
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sat Apr 17 20:01:23 2021 UTC