|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #65633 built-in server treat some http headers as case-sensitive
Submitted: 2013-09-08 13:43 UTC Modified: 2013-09-09 23:42 UTC
From: francesco dot laffi at gmail dot com Assigned: aharvey (profile)
Status: Closed Package: Built-in web server
PHP Version: 5.5Git-2013-09-08 (snap) OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
16 + 25 = ?
Subscribe to this entry?

 [2013-09-08 13:43 UTC] francesco dot laffi at gmail dot com
The built-in server look for info in same headers in a case-sensitive way, but the 
rfc2616 define http headers fields as case insensitive. 
i.e. 'cookie: foo=bar' should be recognized but the the current cli server only 
recognize correctly 'Cookie: foo=bar'

I tried to fiddle with the code to confirm it, i.e in `sapi/cli/php_cli_server.c` 
in the function `sapi_cli_server_read_cookies`:
replace: if (FAILURE == zend_hash_find(&client->request.headers, "Cookie", 
sizeof("Cookie"), (void**)&val))
with: if (FAILURE == zend_hash_find(&client->request.headers, "Cookie", 
sizeof("Cookie"), (void**)&val) && FAILURE == zend_hash_find(&client-
>request.headers, "cookie", sizeof("cookie"), (void**)&val))

And cookies then worked correctly even with lowercase header field. 
I never developed in C so I wont be able to produce a full patch. The above 
snippet is not a suggestion on how to fix it, just pointing where the bug is. In 
the same file I see there are other headers checked in the same way. 

I also noticed that even if it doesnt fill the $_COOKIE superglobal it does put 
the cookie header in $_SERVER['HTTP_COOKIE'], so its already case-insensitive in 
some code.

Looking around about this I found this bug on other projects but I didnt 
found it here, other sources for reference:

Test script:
echo '<?php var_dump($_COOKIE);' > index.php
php -S
curl -H 'Cookie: foo=bar'
curl -H 'cookie: foo=bar'

Expected result:
the two curl request return the same output

Actual result:
> curl -H 'Cookie: foo=bar'
array(1) {
  string(3) "bar"
> curl -H 'cookie: foo=bar'
array(0) {


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2013-09-09 09:15 UTC] francesco dot laffi at gmail dot com
-Summary: PHP built-in server +Summary: built-in server treat some http headers as case-sensitive
 [2013-09-09 09:15 UTC] francesco dot laffi at gmail dot com
edited title
 [2013-09-09 23:42 UTC]
-Status: Open +Status: Closed -Assigned To: +Assigned To: aharvey
 [2013-09-09 23:42 UTC]
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at

 For Windows:
Thank you for the report, and for helping us make PHP better.

Fixed in 5.4, 5.5 and master.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon May 20 20:01:32 2024 UTC