php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #49851 http wrapper breaks on 1024 char long headers
Submitted: 2009-10-12 20:20 UTC Modified: 2009-12-21 10:10 UTC
From: sjoerd-php at linuxonly dot nl Assigned: iliaa
Status: Closed Package: Streams related
PHP Version: 5.*, 6 OS: *
Private report: No CVE-ID:
 [2009-10-12 20:20 UTC] sjoerd-php at linuxonly dot nl
Description:
------------
If a HTTP response contains an header of exactly 1024 characters, the remaining headers are not parsed and are returned in the output.

Reproduce code:
---------------
<?php
echo file_get_contents('http://localhost/a.php');
?>

a.php:
<?php
header(str_pad('X-Padding: ', 1022, 'x'));
header('Location: http://www.google.nl/');
echo "Foo";
?>

Expected result:
----------------
The homepage of google.nl.

Actual result:
--------------
Location: http://www.google.nl
Vary: Accept-Encoding
Content-Length: 3
Connection: close
Content-Type: text/html

Foo

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-10-12 20:24 UTC] Sjoerd@php.net
See also bug #49847 "exec() confused by a specially crafted string", which has a similar cause.

From http_fopen_wrapper.c:
while (!body && !php_stream_eof(stream)) {
	size_t http_header_line_length;
	if (php_stream_get_line(stream, http_header_line, HTTP_HEADER_BLOCK_SIZE, &http_header_line_length) && *http_header_line != '\n' && *http_header_line != '\r') {
		...
	} else {
		break;
 [2009-10-12 21:16 UTC] lbarnaud@php.net
Verified, since 5.1.0 at least.
 [2009-10-24 02:16 UTC] srinatar@php.net
php internally does not have any hard coded limit to parse the header value. the only time, you will see http header in your output is when the header does not end with \r\n (to mark it as new line).

as per HTTP spec, every HTTP headers need to end with \r\n (CR LF) to mark the end of the line. php internally checks for this line to determine if the header is done before proceeding to parse the body of the request. 

if you modify this below test case to reflect that there needs to be \r\n to mark it as end of line, then you will see the expected output. 

<?php
$string = str_pad('X-Padding: ', 1022, 'x').'\r\n';
header($string);
header('Location: http://www.google.nl/');
echo "Foo";
?>

i suggest marking this bug as bogus (or not an issue). 
 [2009-10-24 08:08 UTC] sjoerd@php.net
Thank you for your input. However, I disagree with your post.

> php internally does not have any hard coded limit
http_fopen_wrapper.c:75
#define HTTP_HEADER_BLOCK_SIZE		1024

> the header does not end with \r\n
This is not needed with header().

> $string = str_pad('X-Padding: ', 1022, 'x').'\r\n';
This appends \r\n instead of CRLF, because you use single quotes instead of double quotes.
 [2009-11-30 19:48 UTC] jani@php.net
What SAPI are you using? I can not reproduce this with fastcgi + lighttpd..
 [2009-12-02 16:53 UTC] sjoerd@php.net
Apache module.

The important thing is that a.php gives a header which is exactly 1024 bytes long, including \r\n. The file_get_contents than gives a wrong result, and you can run that on the CLI or any other SAPI.
 [2009-12-02 18:46 UTC] jani@php.net
So it's a bug in streams code (http) and not server side. Your summary for this bug report sucks and the category was wrong. And I should read all comments. :) 
 [2009-12-10 03:23 UTC] svn@php.net
Automatic comment from SVN on behalf of iliaa
Revision: http://svn.php.net/viewvc/?view=revision&revision=291938
Log: Fixed bug #49851 (http wrapper breaks on 1024 char long headers).
 [2009-12-10 03:23 UTC] iliaa@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 [2009-12-11 13:17 UTC] sjoerd@php.net
This one is fixed. Filed bug #50451 "http wrapper breaks on 2048 char long headers".
 [2009-12-13 15:44 UTC] svn@php.net
Automatic comment from SVN on behalf of iliaa
Revision: http://svn.php.net/viewvc/?view=revision&revision=292079
Log: Fixed bug #50451 (http wrapper breaks on 2048 char long headers)

# Improvement on the fix for bug #49851
 [2009-12-14 06:19 UTC] jani@php.net
Not merged yet to PHP_5_2. 
 [2009-12-20 19:14 UTC] svn@php.net
Automatic comment from SVN on behalf of iliaa
Revision: http://svn.php.net/viewvc/?view=revision&revision=292373
Log: MFH: Fixed bug #49851 (http wrapper breaks on 1024 char long headers).
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 17 03:01:55 2014 UTC