php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #71653 sometimes wrong/old values appear in $_SERVER['HTTP_ACCEPT']
Submitted: 2016-02-23 17:43 UTC Modified: 2016-02-23 20:35 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: karim dot scheik at prisma-solutions dot at Assigned:
Status: Not a bug Package: Apache2 related
PHP Version: 7.0.3 OS: Linux
Private report: No CVE-ID: None
 [2016-02-23 17:43 UTC] karim dot scheik at prisma-solutions dot at
Description:
------------
apache-2.2.31 and PHP 7.0.3 and 5.6.18, pecl-apcu 5.1.3 on Gentoo Linux 4.1.15 x86-64 tested

A thumbnail script is called 36 times from a gallery web page generating and storing a thumbnail using imagick/gd and pecl-apcu and serving it either as webp or jpeg depending on HTTP_ACCEPT.
Sometimes (~1 in 200 thumbnails) the script will serve webp to a non-webp browser if it has been loaded/cached in a webp browser before (e.g. go to gallery with Opera/WebKit and then using Firefox).
After investigating (echoing back the HTTP_ACCEPT) it appears that the script receives the HTTP_ACCEPT from an older Opera/WebKit (webp) request, even though Firefox console shows it never sent that header.

Firefox console shows it sent "Accept: image/png,image/*;q=0.8,*/*;q=0.5" and PHP echos back "X-Accept: image/webp,image/*,*/*;q=0.8" which was sent by Opera/WebKit seconds before that.

Maybe OpCache/APCu related? Or some threading/sharing problem?

Test script:
---------------
<?php

$format = isset($_SERVER['HTTP_ACCEPT']) && stripos($_SERVER['HTTP_ACCEPT'], 'image/webp') !== false ? 'webp' : 'jpeg';

// sometimes this is data from an old request of a different browser!!!
header('X-Accept: ' . $_SERVER['HTTP_ACCEPT']);

// create, output and store (APCu) thumb in $format

?>

Expected result:
----------------
$_SERVER['HTTP_ACCEPT'] should contain what the browser actually sent and thus

Actual result:
--------------
$_SERVER['HTTP_ACCEPT'] sometimes contains a foreign request made by a different browser sometime ago

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-02-23 17:50 UTC] karim dot scheik at prisma-solutions dot at
it seems the whole request is bogus/stale, even user-agent is from the old request:

Firefox makes a request and this is what (sometimes) comes back from header('X-User-Agent: "' . $_SERVER['HTTP_USER_AGENT'] . '"'), which is clearly not correct:
"Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.109 Safari/537.36 OPR/35.0.2066.68 (Edition Campaign 21)"
 [2016-02-23 18:33 UTC] karim dot scheik at prisma-solutions dot at
-Status: Open +Status: Closed
 [2016-02-23 18:33 UTC] karim dot scheik at prisma-solutions dot at
the problem appears to be Apache's mod_cache storing/caching headers as well
 [2016-02-23 20:35 UTC] requinix@php.net
-Status: Closed +Status: Not a bug
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Jul 14 17:01:28 2024 UTC