php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #64878 304 responses return Content-Type header
Submitted: 2013-05-19 19:58 UTC Modified: 2015-06-27 12:40 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: jdesrosi at gmail dot com Assigned: cmb
Status: Closed Package: Built-in web server
PHP Version: 5.4.15 OS: Fedora 18
Private report: No CVE-ID:
 [2013-05-19 19:58 UTC] jdesrosi at gmail dot com
Description:
------------
I have discovered that the built-in php web server sends a default Content-Type 
header (text/html) when responding with HTTP/1.1 304 Not Modified.  This clobbers 
the Content-Type stored in a cache and violates RFC2616-10.3.5 
(http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.3.5)

"If the conditional GET used a strong cache validator (see section 13.3.3), the 
response SHOULD NOT include other entity-headers. Otherwise (i.e., the 
conditional GET used a weak validator), the response MUST NOT include other 
entity-headers; this prevents inconsistencies between cached entity-bodies and 
updated headers."

I have found related tickets related the Apache.  This ticket differs only in 
that it refers to the built-in web server.

Test script:
---------------
<?php

header('HTTP/1.1 304 Not Modified');

Expected result:
----------------
HTTP/1.1 304 Not Modified
Host: localhost:8001
Connection: close
X-Powered-By: PHP/5.4.14

Actual result:
--------------
HTTP/1.1 304 Not Modified
Host: localhost:8001
Connection: close
X-Powered-By: PHP/5.4.14
Content-type: text/html

Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-05-18 19:38 UTC] cmb@php.net
-Status: Open +Status: Analyzed
 [2015-05-18 19:38 UTC] cmb@php.net
According to RFC 7232 (which obsoletes RFC 2616), section 4.1, the
restrictions on sending a Content-Type header with 304 responses
have been slightly loosened (SHOULD NOT). So the behavior is not
necessarily a bug. However, it still seems reasonable to suppress
the default Content-Type header for 304 responses. I've submitted
a respective PR.
 [2015-06-27 12:38 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1920ba6f7bd1ce3c866ca947f51a1633dc892fce
Log: Fix #64878: 304 responses return Content-Type header
 [2015-06-27 12:38 UTC] cmb@php.net
-Status: Analyzed +Status: Closed
 [2015-06-27 12:40 UTC] cmb@php.net
-Assigned To: +Assigned To: cmb
 [2015-06-27 12:40 UTC] cmb@php.net
The fix for this bug has been committed.

Thank you for the report, and for helping us make PHP better.
 [2015-07-07 23:37 UTC] ab@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1920ba6f7bd1ce3c866ca947f51a1633dc892fce
Log: Fix #64878: 304 responses return Content-Type header
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Wed Jun 28 12:01:42 2017 UTC