php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70279 HTTP Authorization Header is sometimes passed to newer reqeusts
Submitted: 2015-08-16 00:59 UTC Modified: 2016-06-01 15:08 UTC
Votes:13
Avg. Score:4.6 ± 0.7
Reproduced:9 of 9 (100.0%)
Same Version:6 (66.7%)
Same OS:5 (55.6%)
From: steffenbrem at gmail dot com Assigned: laruence
Status: Closed Package: FPM related
PHP Version: 7.0Git-2015-08-16 (snap) OS: Ubuntu Trusty
Private report: No CVE-ID:
 [2015-08-16 00:59 UTC] steffenbrem at gmail dot com
Description:
------------
I have noticed a strange bug while using NGinx PPA stable and PHP7 FPM nightly build. When you send a request containing an Authorization header and after that send a request WITHOUT an Authorization header, PHP still thinks an Authorization header is present on the request (while it isn't).

This can cause a lot of trouble, especially since it is the Authorization header.

Expected result:
----------------
I expect that when you send a request with an authorization header and then the second time I send a request without an Authorization header, that for that runtime there is no Authorization header set.

Actual result:
--------------
What is happening now is that the authorization header from the previous request is also passed to the next requests. Even if you do not provide an Authorization header for the next requests.

Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-08-16 01:04 UTC] steffenbrem at gmail dot com
Note that I use PHP in FastCGI mode and run it as an UNIX socket.
 [2015-08-16 01:56 UTC] steffenbrem at gmail dot com
I can confirm that this issue is not present when using PHP7 and Apache (running as php_mod). Will try to investigate and check PHP7-FPM on other OS.
 [2015-08-16 02:29 UTC] steffenbrem at gmail dot com
Tested it on Debian Jessie running Nginx 1.9.3-1 and PHP7-beta3 FPM (this one, to be exact: https://github.com/docker-library/php/blob/master/7.0/fpm/Dockerfile).

Same problem here.. It is only working as Apache module. The problem likely exists somewhere in the fpm sapi? 

I hope this is enough information to find the bug. For now I will stick to using apache2handler, which seems to be working fine.
 [2015-08-26 23:45 UTC] david at nnucomputerwhiz dot com
I can confirm this is happening in 7.0.0RC1 too running php-fpm and nginx 1.2.0. It appears to be any http header not just the Authorization header. It's causing problems on some sites because $_SERVER['HTTP_X_REQUESTED_WITH'] sometimes contains 'XMLHttpRequest' even if it wasn't sent in the current request but it was sent in previous requests. The problem is very intermittent and trivial scripts don't seem to reproduce it.
 [2015-08-27 02:58 UTC] yohgaki@php.net
-Package: *Web Server problem +Package: FPM related
 [2015-08-27 02:58 UTC] yohgaki@php.net
Reporter states it's FPM only issue.
It sounds like request clean up is not done well in FPM SAPI.
 [2015-08-27 05:31 UTC] david at nnucomputerwhiz dot com
Found an easy workaround which may help with troubleshooting. 
Setting pm.max_requests = 1 in the php-fpm config prevents this from happening since each process handles only 1 request. Obviously not a good idea in a production environment.
 [2015-09-09 15:37 UTC] steffen dot hanikel at meinfernbus dot de
I can confirm this problem running the PHP-7.0.0 branch.

Here's a very simple test case:
<?php
echo $_SERVER['HTTP_X_TEST']. "\n";
fastcgi_finish_request();

$ curl -H "X-Test: 123" http://test
123
curl http://test
123

I guess this is also an security problem.
 [2015-09-22 05:34 UTC] phofstetter at sensational dot ch
I haven't tested this yet (currently on mobile), but if I had to guess, I would say that this is caused by https://github.com/php/php-src/commit/f20118aa669f9992fee8a64024e623805669391b

I'll try without this commit later today and if my suspicions are correct, I'll try to come up with a patch.
 [2015-09-22 06:21 UTC] phofstetter at sensational dot ch
I can confirm now that my previous hunch was correct. This bug was introduced in f20118aa669f9992fee8a64024e623805669391b.

The testcase given by Steffen passes with f20118aa669f9992fee8a64024e623805669391b's parent but fails with f20118aa669f9992fee8a64024e623805669391b.

Unfortunately, the code has significantly changed since that commit was introduced, so an easy revert will not do. I'll try to investigate a bit more in order to come up with a fix that works on current HEAD - no promises though.
 [2015-09-22 07:30 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1d6228b46a9440a99eca42718a5a76dcd3e0aa12
Log: Fixed bug #70279 (HTTP Authorization Header is sometimes passed to newer reqeusts)
 [2015-09-22 07:31 UTC] laruence@php.net
-Status: Open +Status: Closed
 [2015-09-29 13:10 UTC] ab@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1d6228b46a9440a99eca42718a5a76dcd3e0aa12
Log: Fixed bug #70279 (HTTP Authorization Header is sometimes passed to newer reqeusts)
 [2016-06-01 15:08 UTC] laruence@php.net
-Assigned To: +Assigned To: laruence
 [2016-07-20 11:36 UTC] davey@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1d6228b46a9440a99eca42718a5a76dcd3e0aa12
Log: Fixed bug #70279 (HTTP Authorization Header is sometimes passed to newer reqeusts)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Feb 21 18:01:40 2017 UTC