php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #45947 Apache env variables changed by PHP IN Apache
Submitted: 2008-08-29 13:37 UTC Modified: 2008-08-30 16:45 UTC
From: regis dot leroy at makina-corpus dot com Assigned:
Status: Closed Package: Apache2 related
PHP Version: 5.2.6 OS: Linux Debian
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2008-08-29 13:37 UTC] regis dot leroy at makina-corpus dot com 
Description:
------------
reopening Bug #39927 and Bug #13961 which seems to have been marked Bogus because of a Bogus reviewer.
Apache Env set by, for example:
 BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0

Is treaten in PHP to become downgrade-1_0 with an "_". that's OK, its' for security reasons.
But it is changed in Apache, and so Apache will not modify the response to make his 'forced downgrade to HTTP/1.0'.
That's REALLY BAAAD.
This breaks Apache mechanism to handle bad browser which do not understand well HTTP/1.1 (with chunked responses on bad Java soap parses for exemple).


I reedit the bug to give a workaround for people interested:
in PHP write such things:
"""
if ($_SERVER['downgrade-1_0']){
        apache_setenv('downgrade-1.0','true');
}
"""
Beware of safe mode allowed env vars if you're in safe mode.

Now you have to right behaviour $_SERVER contains only strings without dots but Apache have the right env to behave well.

Shame on PHP....

Reproduce code:
---------------
see previous bugs

Expected result:
----------------
response in HTTP/1.0

Actual result:
--------------
response in HTTP/1.1

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-08-30 16:45 UTC] rasmus@php.net 
I don't think this one is bogus.  Ilia was wrong in 13961.  Only the value is copied, not the key there.  And in 39927 I replied to the last commenter who seemed to want to disable the . -> _ munging when register_globals is off, but missed the original point of the code modifying the passed in key.  We dropped the ball multiple times on this one.

I'll commit a fix in a bit.
 
PHP Copyright © 2001-2023 The PHP Group
All rights reserved. 		Last updated: Mon Mar 27 13:03:40 2023 UTC