|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #28956 http headers not posted inside an 'if' that reads a preset variable.
Submitted: 2004-06-29 08:37 UTC Modified: 2004-06-29 11:48 UTC
From: lps at cwru dot edu Assigned:
Status: Not a bug Package: HTTP related
PHP Version: 4.3.7 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: lps at cwru dot edu
New email:
PHP Version: OS:


 [2004-06-29 08:37 UTC] lps at cwru dot edu
I've tested this buggy script on two substantially different setups:  

Redhat Linux 5.2  running Apache-1.3.31/PHP 4.3.3
Gentoo Linux V1.4 running Yaws-1.40/PHP 4.3.7

The http-header is posted ok if either:

1.  You change the "echo"  to "$foo =" and move the header("Cache..") to after the if-statement.

2.  The condition in the if statement does not refer to a preset variable.

Hope this helps,

Reproduce code:
header("Testing: 123");
    header("Cache-Control: no-store");
    echo $_POST["foo"];
  <title> Bug in PHP 4.3.3 and PHP 4.3.7 </title>
  <form action="test.php" method="post">
  <textarea name="foo">When you submit this, you will not get a 'Cache-Control: no-store' header.</textarea>
  <input type="submit" />


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2004-06-29 10:58 UTC] lps at cwru dot edu
Ok,  this really appears to be a feature, not a bug.  Admittedly I'm new to PHP, but this appears to be an undocumented feature.  Nothing is obvious from scanning the manual or looking through the php.ini file.

The PHP interpreter seems to be keeping track of some kind of "dirty variable".   Certainly, it appears to be intentionally preventing me from setting headers based off of content in $_SERVER["REQUEST_METHOD"].   Of course, this is a computationally undecidable problem, so in order for such a feature to work,  there must be cases where the header will always be posted, yet this feature won't let it happen.

I've found such a case, and pretty strong evidence for "dirty variables": 

$is_post = ($_SERVER["REQUEST_METHOD"] == "POST");
if ($is_post) {
   $foo = ! 0;
} else {
   $foo = ! 1;
$foo = "bar";
if ($foo == "bar") {
  header("Cache-Control: no-store");
} ?>

Now, this header doesn't get set.  However, it does if you change the last two occurances of "foo" to "baz" instead.  Admittedly, echoing data from GET and POST into http-headers allows for some truly nasty attacks.  But it's trivially easy to introduce Cross-Site Scripting vulnerabilities and other sorts of perhaps lesser evils....

Where is this feature documented, and how do you turn this feature off?
 [2004-06-29 11:48 UTC]
Uh?  What in the world are you talking about?  There is no such dirty-variable feature in PHP.  Your code example makes no sense.  If you do:

  $foo = "bar";
  if($foo == "bar") { action }

Then obviously that action will be taken no matter what you do before or after.

Pasting your exact code example on my server here and checking the headers I see the Cache-Control header perfectly:

2:45am thinkpad:~> cat www/t.php
$is_post = ($_SERVER["REQUEST_METHOD"] == "POST");
if ($is_post) {
   $foo = ! 0;
} else {
   $foo = ! 1;
$foo = "bar";
if ($foo == "bar") {
  header("Cache-Control: no-store");
} ?>

2:45am thinkpad:~> HEAD http://localhost/t.php
200 OK
Cache-Control: no-store
Connection: close
Date: Tue, 29 Jun 2004 09:46:01 GMT
Server: Apache/1.3.30-dev (Unix) PHP/4.3.8-dev
Content-Type: text/html
Client-Date: Tue, 29 Jun 2004 09:46:01 GMT
Client-Response-Num: 1
X-Powered-By: PHP/4.3.8-dev

PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Jul 19 12:01:29 2024 UTC