|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #52162 for NSAPI module, custom request header variables with numbers are removed
Submitted: 2010-06-23 19:02 UTC Modified: 2015-06-29 09:05 UTC
From: Assigned: thetaphi (profile)
Status: Closed Package: iPlanet related
PHP Version: 5.3.2 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
New email:
PHP Version: OS:


 [2010-06-23 19:02 UTC]
for example, if u try to request print-header.php (which contains the following)

  print "\nContents of \$_SERVER:\n";
  foreach ($_SERVER as $k => $v) {
     print "   $k = $v\n";
  print "</pre>\n";

by doing some thing like
$ telnet localhost 80
Connected to s10u7x.
Escape character is '^]'.
GET /print-header.php HTTP/1.0
X-T3crawler: foobar

u get output as 
HTTP_X_T_CRAWLER = foobar -> unexpected result

what do u expect is 

HTTP_X_T3_CRAWLER = foobar -> expected result

Expected result:
HTTP_X_T3_CRAWLER = foobar -> expected result

Actual result:
u get output as 
HTTP_X_T_CRAWLER = foobar -> unexpected result


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2010-06-23 20:04 UTC]
here is the suggested patch to address this issue

[sn123202@mbelshe]'PHP_5_3'>svn diff sapi/nsapi/nsapi.c 
Index: sapi/nsapi/nsapi.c
--- sapi/nsapi/nsapi.c  (revision 300702)
+++ sapi/nsapi/nsapi.c  (working copy)
@@ -687,7 +687,7 @@
                                if (value) {
                                        for(p = value + pos; *p; p++) {
                                                *p = toupper(*p);
-                                               if (*p < 'A' || *p > 'Z') {
+                                               if (!isalnum(*p)) {
                                                        *p = '_';

if no one has any issues, i can commit this patch..
 [2010-06-23 20:06 UTC]
-Summary: custom request header variables with numbers are removed +Summary: for NSAPI module, custom request header variables with numbers are removed
 [2010-06-23 20:06 UTC]
mark the bug as specific to a given SAPI only.
 [2010-06-23 20:28 UTC]
-Assigned To: +Assigned To: thetaphi
 [2010-06-23 20:28 UTC]
I will fix that! Thanks for reporting. Uwe
 [2010-06-23 20:30 UTC]
I think this problem also affects other SAPIs that parse headers to ENV-style variables? I will scan other sapis and fix their code, too, if needed.
 [2010-06-23 21:06 UTC]
Automatic comment from SVN on behalf of srinatar
Log: - Fixed bug #52162 (custom request header variables with numbers are removed)
 [2010-06-23 21:41 UTC]
From the CGI/1.1 spec in RFC3875:
   Meta-variables with names beginning with "HTTP_" contain values read
   from the client request header fields, if the protocol used is HTTP.
   The HTTP header field name is converted to upper case, has all
   occurrences of "-" replaced with "_" and has "HTTP_" prepended to
   give the meta-variable name.  The header data can be presented as
   sent by the client, or can be rewritten in ways which do not change
   its semantics.  If multiple header fields with the same field-name
   are received then the server MUST rewrite them as a single value
   having the same semantics.  Similarly, a header field that spans
   multiple lines MUST be merged onto a single line.  The server MUST,
   if necessary, change the representation of the data (for example,
   the character set) to be appropriate for a CGI meta-variable.

So I tend to remove the check explicitely and only specifically handle the "-" character as described in the specs.
 [2015-06-29 09:05 UTC]
-Status: Assigned +Status: Closed
 [2015-06-29 09:05 UTC]
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at

 For Windows:
Thank you for the report, and for helping us make PHP better.

This was already fixed. The remaining change will not be done anymore, as the NSAPI module was retired for PHP 7.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon May 20 05:01:32 2024 UTC