PHP :: Bug #52162 :: for NSAPI module, custom request header variables with numbers are removed

Bug #52162	for NSAPI module, custom request header variables with numbers are removed
Submitted:	2010-06-23 19:02 UTC	Modified:	2015-06-29 09:05 UTC
From:	srinatar@php.net	Assigned:	thetaphi (profile)
Status:	Closed	Package:	iPlanet related
PHP Version:	5.3.2	OS:	Linux
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	srinatar@php.net
New email:
PHP Version:		OS:

New Comment:

[2010-06-23 19:02 UTC] srinatar@php.net

Description:
------------
for example, if u try to request print-header.php (which contains the following)

<?
  print "\nContents of \$_SERVER:\n";
  foreach ($_SERVER as $k => $v) {
     print "   $k = $v\n";
  }
  print "</pre>\n";
?>


by doing some thing like
$ telnet localhost 80
Trying 192.168.20.126...
Connected to s10u7x.
Escape character is '^]'.
GET /print-header.php HTTP/1.0
X-T3crawler: foobar

u get output as 
HTTP_X_T_CRAWLER = foobar -> unexpected result

what do u expect is 

HTTP_X_T3_CRAWLER = foobar -> expected result

Expected result:
----------------
HTTP_X_T3_CRAWLER = foobar -> expected result

Actual result:
--------------
u get output as 
HTTP_X_T_CRAWLER = foobar -> unexpected result

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2010-06-23 20:04 UTC] srinatar@php.net

here is the suggested patch to address this issue


[sn123202@mbelshe]'PHP_5_3'>svn diff sapi/nsapi/nsapi.c 
Index: sapi/nsapi/nsapi.c
===================================================================
--- sapi/nsapi/nsapi.c  (revision 300702)
+++ sapi/nsapi/nsapi.c  (working copy)
@@ -687,7 +687,7 @@
                                if (value) {
                                        for(p = value + pos; *p; p++) {
                                                *p = toupper(*p);
-                                               if (*p < 'A' || *p > 'Z') {
+                                               if (!isalnum(*p)) {
                                                        *p = '_';
                                                }
                                        }


if no one has any issues, i can commit this patch..

[2010-06-23 20:06 UTC] srinatar@php.net

-Summary: custom request header variables with numbers are removed +Summary: for NSAPI module, custom request header variables with numbers are removed

[2010-06-23 20:06 UTC] srinatar@php.net

mark the bug as specific to a given SAPI only.

[2010-06-23 20:28 UTC] thetaphi@php.net

-Assigned To: +Assigned To: thetaphi

[2010-06-23 20:28 UTC] thetaphi@php.net

I will fix that! Thanks for reporting. Uwe

[2010-06-23 20:30 UTC] thetaphi@php.net

I think this problem also affects other SAPIs that parse headers to ENV-style variables? I will scan other sapis and fix their code, too, if needed.

[2010-06-23 21:06 UTC] srinatar@php.net

Automatic comment from SVN on behalf of srinatar
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=300707
Log: - Fixed bug #52162 (custom request header variables with numbers are removed)

[2010-06-23 21:41 UTC] thetaphi@php.net

From the CGI/1.1 spec in RFC3875:
   Meta-variables with names beginning with "HTTP_" contain values read
   from the client request header fields, if the protocol used is HTTP.
   The HTTP header field name is converted to upper case, has all
   occurrences of "-" replaced with "_" and has "HTTP_" prepended to
   give the meta-variable name.  The header data can be presented as
   sent by the client, or can be rewritten in ways which do not change
   its semantics.  If multiple header fields with the same field-name
   are received then the server MUST rewrite them as a single value
   having the same semantics.  Similarly, a header field that spans
   multiple lines MUST be merged onto a single line.  The server MUST,
   if necessary, change the representation of the data (for example,
   the character set) to be appropriate for a CGI meta-variable.

So I tend to remove the check explicitely and only specifically handle the "-" character as described in the specs.

[2015-06-29 09:05 UTC] thetaphi@php.net

-Status: Assigned +Status: Closed

[2015-06-29 09:05 UTC] thetaphi@php.net

The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

This was already fixed. The remaining change will not be done anymore, as the NSAPI module was retired for PHP 7.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 19 09:01:27 2024 UTC