php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #71466 fopen php://input without reading from it terminates script output prematurely
Submitted: 2016-01-27 22:34 UTC Modified: 2016-02-08 03:05 UTC
Votes:5
Avg. Score:4.4 ± 0.8
Reproduced:5 of 5 (100.0%)
Same Version:5 (100.0%)
Same OS:3 (60.0%)
From: robin at mccorkell dot me dot uk Assigned: laruence (profile)
Status: Closed Package: FPM related
PHP Version: 7.0.2 OS: Arch Linux x86_64
Private report: No CVE-ID: None
View Developer Edit
 [2016-01-27 22:34 UTC] robin at mccorkell dot me dot uk 
Description:
------------
This bug occurs only with php-fpm using the unix socket, mod_php and php-fpm with TCP sockets were also tested and did not exhibit this bug.

When a script opens php://input for reading, then does not read from it, the connection to any client is terminated early: cURL reports "transfer closed with outstanding read data remaining", nginx reports "readv() failed (104: Connection reset by peer) while reading upstream".

This also only occurs if some body has been sent with the request, so GETs are unaffected, also it seems that POSTs are unaffected (contrast with PUT, PATCH, PROPFIND etc which do have this issue).

To reproduce, set up an environment as described above, put the attached test script in an accessible place, then run the following or equivalent:

curl -i -X PROPFIND http://hostname/path/to/script.php -d "ping"

Downstream bug reports:

https://github.com/owncloud/core/issues/21935
https://stackoverflow.com/questions/34244406/readv-failed-on-propfind-request-while-reading-php-input-php-7-nginx

Test script:
---------------
<?php

$fh = fopen("php://input", "r");
echo "pong";

Expected result:
----------------
pong

Notice that removing the body (remove -d "ping" from the cURL line), or reading some bytes from the php://input stream, or not opening the input stream at all, will result in the expected "pong" response.

Actual result:
--------------
transfer closed with outstanding read data remaining

Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-01-28 12:23 UTC] robin at mccorkell dot me dot uk 
I did a bisect on the source, 18cf4e0a8a574034f60f4d123407c173e57e54ec is the breaking commit
 [2016-02-08 03:05 UTC] laruence@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: laruence
 [2016-02-08 03:05 UTC] laruence@php.net 
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Mon Mar 31 09:01:29 2025 UTC