php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72231 headers() changes the order headers are sent
Submitted: 2016-05-17 16:52 UTC Modified: 2021-03-10 13:22 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:-1 (-100.0%)
From: Jim dot Nickerson at Gmail dot com Assigned: cmb (profile)
Status: Closed Package: Apache related
PHP Version: 5.6.21 OS: shared linux on 1and1
Private report: No CVE-ID: None
 [2016-05-17 16:52 UTC] Jim dot Nickerson at Gmail dot com
Description:
------------
headers() sends the header lines out of order.
Content-Type: is sent before all others.


Test script:
---------------
<?php
    //jim header order test
    $str = "php version " . phpversion() . "\r\n" . file_get_contents(__FILE__);
    $dataToSend = htmlspecialchars($str);
    $HeaderLine = 'Content-Disposition: attachment; filename="helloworld.txt"; modification-date="' . date('r', $mtime) . '";';
    header( $HeaderLine );
    // Set the length so the browser can set the download timers
    $HeaderLine = "Content-Length: " . strlen($dataToSend);
    header( $HeaderLine );
    //
    $HeaderLine = 'Content-Type: application/octet-stream';
    header( $HeaderLine );   //with php 5.6 on 1and1 this header is sent first
    echo $dataToSend;
    exit();
?>

Expected result:
----------------
Content-Disposition: attachment; filename="helloworld.txt"; modification-Content-Length: 736
Content-Type: application/octet-stream

I asked for Content-Disposition: first
Content-Type was sent first.
In previous versions the sequence was as expected.
I will change my code which was sequence dependent to deal with this change.
As I read the RFCs the header sequence is not defined.
I do not mind if it is different but it would have been kind to mention it.

Actual result:
--------------
GET /test/jimheaderordertest.php HTTP/1.1
Host: jimnickerson.com
Connection: keep-alive
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: __utma=22519968.1492443519.1459950119.1461599126.1462887119.4; __utmz=22519968.1459950119.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=2a5ad476d63ffddf1e55afa4f3723f90

HTTP/1.1 200 OK
Date: Tue, 17 May 2016 16:29:51 GMT
Content-Type: application/octet-stream
Content-Length: 736
Connection: keep-alive
Keep-Alive: timeout=15
Server: Apache
X-Powered-By: PHP/5.6.21
Content-Disposition: attachment; filename="helloworld.txt"; modification-date="Wed, 31 Dec 1969 19:00:00 -0500";

php version 5.6.21
&lt;?php
    //jim header order test
    $str = &quot;php version &quot; . phpversion() . &quot;\r\n&quot; . file_get_contents(__FILE__);
    $dataToSend = htmlspecialchars($str);
    $HeaderLine = 'Content-Disposition: attachment; filename=&quot;helloworld.txt&quot;; modification-date=&quot;' . date('r', $mtime) . '&quot;;';
    header( $HeaderLine );
    // Set the length so the browser can set the download timers
    $HeaderLine = &quot;Content-Length: &quot; . strlen($dataToSend);
    header( $HeaderLine );
    //
    $HeaderLine = 'Content-Type: application/octet-stream';
    header( $HeaderLine );   //with php 5.6 on 1and1 this header is sent first
    echo $dataToSend;
    exit();
?&gt;

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-05-17 17:20 UTC] Jim dot Nickerson at Gmail dot com
$mtime should be changed to time()
this code was copied from another project where $mtime existed
 [2021-03-10 13:22 UTC] cmb@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: cmb
 [2021-03-10 13:22 UTC] cmb@php.net
> As I read the RFCs the header sequence is not defined.

Indeed.

> I do not mind if it is different but it would have been kind to
> mention it.

Yes, that would have made sense, but that ship sailed long ago.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Dec 22 06:01:30 2024 UTC