|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73841 ob_gzhandler() doesn't fully implement HTTP spec
Submitted: 2016-12-29 23:58 UTC Modified: 2018-02-14 16:36 UTC
Avg. Score:3.5 ± 1.5
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:1 (50.0%)
From: giovanni at giacobbi dot net Assigned:
Status: Verified Package: Output Control
PHP Version: Irrelevant OS: Any
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2016-12-29 23:58 UTC] giovanni at giacobbi dot net
HTTP spec describes Accept-Encoding as a list with "quality values", i.e. it can be something like:

Accept-Encoding: gzip;q=1.0, deflate;q=0.7

There is a special case when q equals zero which means the client does NOT accept that particular value

Because the ob_gzhandler() is implemented with a strstr(Z_STRVAL_P(enc), "gzip"), the check fails to exclude "gzip;q=0"

Test script:
echo "Hello";


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2018-02-14 16:36 UTC]
-Status: Open +Status: Verified -Package: *Compression related +Package: Output Control
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sat Jan 23 11:01:26 2021 UTC