|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #22127 bogus http response when force-cgi-redirect safety mechanism triggered
Submitted: 2003-02-08 14:46 UTC Modified: 2004-03-12 08:58 UTC
From: zlo at canada dot com Assigned:
Status: Closed Package: CGI/CLI related
PHP Version: 4CVS, 5CVS OS: *
Private report: No CVE-ID: None
 [2003-02-08 14:46 UTC] zlo at canada dot com
When php is used in cgi mode with force-cgi-redirect enabled, and the safety mechanism is triggered, PHP produces a bogus http response line:
HTTP/1.1 0
this is invalid and browsers fail to display the output.
it happens for PHP 4.3.0 and a fresh PHP 4.3.1-dev snapshot under both Windows and Linux.
AFAIK 0 is not a valid response code, and unless one uses a non-compliant browser or accesses the page through a raw telnet session, the warning page cannot be seen.
it would be desirable for PHP to produce a meaningful response code, such as 200, 403 or 500.
for example:

GET /cgi-bin/php/pi.php HTTP/1.1
HOST: mysite

HTTP/1.1 0
Date: Sat, 08 Feb 2003 20:32:46 GMT
Server: Apache/1.3.27 (Unix) PHP/4.3.0
Transfer-Encoding: chunked
Content-Type: text/html; charset=windows-1251

<b>Security Alert!</b> The PHP CGI cannot be accessed directly.

<p>This PHP CGI binary was compiled with force-cgi-redirect enabled.  This
means that a page will only be served up if the REDIRECT_STATUS CGI variable is
set, e.g. via an Apache Action directive.</p>
<p>For more information as to <i>why</i> this behaviour exists, see the <a href="">manual page for CGI security</a>.</p>
<p>For more information about changing this behaviour or re-enabling this webserver,
consult the installation file that came with this distribution, or visit
<a href="">the manual page</a>.</p>



Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2003-03-30 15:45 UTC] zlo at canada dot com
using the latest build:
# HEAD http://mysite/cgi-bin/php/pi.php
500 Bad response code: 'HTTP/1.1 0'
 [2003-08-08 06:16 UTC]
Still a problem with both PHP4/PHP5.

 [2004-02-28 09:52 UTC] scottmacvicar at ntlworld dot com
403 is probably the most appropriate response code.
Though 400 Bad Request could be another possibility.

diff -u cgi_main.c cgi_main.c.patched
--- cgi_main.c  2004-02-28 14:53:31.000000000 +0000
+++ cgi_main.c.patched  2004-02-28 14:54:16.000000000 +0000
@@ -1106,6 +1106,7 @@
                            in case some server does something different than above */
                        && (!redirect_status_env || !getenv(redirect_status_env))
                        ) {
+                       SG(sapi_headers).http_response_code = 403;
                        PUTS("<b>Security Alert!</b> The PHP CGI cannot be accessed directly.\n\n\
 <p>This PHP CGI binary was compiled with force-cgi-redirect enabled.  This\n\
 means that a page will only be served up if the REDIRECT_STATUS CGI variable is\n\
 [2004-03-12 08:58 UTC]
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue May 21 13:01:36 2024 UTC