php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #73841 ob_gzhandler() doesn't fully implement HTTP spec
Submitted: 2016-12-29 23:58 UTC Modified: 2018-02-14 16:36 UTC
Votes:2
Avg. Score:3.5 ± 1.5
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:1 (50.0%)
From: giovanni at giacobbi dot net Assigned:
Status: Verified Package: Output Control
PHP Version: Irrelevant OS: Any
Private report: No CVE-ID: None
View Add Comment Developer Edit
Have you experienced this issue?
Rate the importance of this bug to you:

 [2016-12-29 23:58 UTC] giovanni at giacobbi dot net 
Description:
------------
HTTP spec describes Accept-Encoding as a list with "quality values", i.e. it can be something like:

Accept-Encoding: gzip;q=1.0, deflate;q=0.7

There is a special case when q equals zero which means the client does NOT accept that particular value

Because the ob_gzhandler() is implemented with a strstr(Z_STRVAL_P(enc), "gzip"), the check fails to exclude "gzip;q=0"


Test script:
---------------
<?php
ob_start("ob_gzhandler");
echo "Hello";

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-02-14 16:36 UTC] cmb@php.net
-Status: Open +Status: Verified -Package: *Compression related +Package: Output Control
 [2018-02-14 16:36 UTC] cmb@php.net 
See <https://tools.ietf.org/html/rfc7231#section-5.3.4>.
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved. 		Last updated: Sat Jan 18 00:01:23 2020 UTC