|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #38369 Status: header incorrectly handled in CGI/FastCGI mode
Submitted: 2006-08-07 15:04 UTC Modified: 2006-08-07 18:03 UTC
Avg. Score:4.0 ± 1.2
Reproduced:3 of 3 (100.0%)
Same Version:2 (66.7%)
Same OS:2 (66.7%)
From: chris at mysociety dot org Assigned:
Status: Wont fix Package: CGI/CLI related
PHP Version: * OS: *
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2006-08-07 15:04 UTC] chris at mysociety dot org
PHP does not correctly handle calls such as header("Status: ..."). In CGI mode it should process such a call as a changing the HTTP response code (consistent with its handling of, e.g., header("Location: ...")). However, at present there is no special handling of the Status: header. That's why sending Status: and then Location: causes a duplicate header: the Location: header is handled as a special case and causes sapi_update_response_code(302) to be called, whereas the Status: header is just added to the list of headers to be sent back to the web server (see bug #33225 incorrectly marked "bogus", I think because the reviewer doesn't understand CGI). Note that sending two different Status: headers explicitly with header("Status: ...") doesn't give this error, because the default operation is to *replace* the header, not add a new one.

Here is a patch to fix the bug in 4.4.3; it also applies to 5.1.4 and probably other versions too:

--- php-4.4.3-orig/main/SAPI.c  2006-01-01 13:46:59.000000000 +0000
+++ php-4.4.3/main/SAPI.c       2006-08-07 15:49:15.000000000 +0100
@@ -611,6 +611,14 @@
                                        /* Return a Found Redirect if one is not already specified */
                                        sapi_update_response_code(302 TSRMLS_CC);
+                       } else if (!STRCASECMP(header_line, "Status")) {
+                               int code;
+                               if (1 == sscanf(colon_offset + 1, "%d", &code)
+                                       && code >= 100 && code < 1000) {
+                                       /* Also want to suppress this header. */
+                                       sapi_update_response_code(code TSRMLS_CC);
+                                       return SUCCESS;
+                               } /* else error? */
                        } else if (!STRCASECMP(header_line, "WWW-Authenticate")) { /* HTTP Authentication */
                                sapi_update_response_code(401 TSRMLS_CC); /* authentication-required */

-- I've also put a copy of this at
 in case this form isn't transparent.

Reproduce code:
header("Status: 404");

Expected result:
Redirect to

Actual result:
Internal server error because PHP sends the Status: header twice, violating the CGI spec.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2006-08-07 15:09 UTC]
The SAPI independant way to issue an HTTP response code in PHP is a "HTTP/1.x NNN" header.

 [2006-08-07 15:17 UTC] chris at mysociety dot org
Perhaps you'd like to go and fix all the code which uses the Status: header, then? A quick search will find lots of PHP programs that use it (WordPress, for instance), and they're all broken because PHP's handling of Status: is incorrect. Alternatively you could just make PHP's behaviour correct, using the fix I've given you.
 [2006-08-07 15:39 UTC]
You're suggesting to fix the symptom instead of the cause.
 [2006-08-07 18:03 UTC] chris at mysociety dot org
No, you have misunderstood. You claim that PHP is a conformant CGI program. It is not, because it will send more than one Status: header. I have provided a fix. You refuse to apply it. Are you no longer interested in supporting CGI?
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Tue Dec 01 07:01:24 2020 UTC