PHP :: Bug #77953 :: Headers are case-sensitive to $

Bug #77953

Headers are case-sensitive to $_SERVER

Submitted:

2019-04-29 13:31 UTC

Modified:

2019-04-29 14:57 UTC

Votes:	7
Avg. Score:	4.1 ± 1.5
Reproduced:	6 of 6 (100.0%)
Same Version:	3 (50.0%)
Same OS:	3 (50.0%)

From:

roger at tecnofit dot com dot br

Assigned:

Status:

Open

Package:

Apache2 related

PHP Version:

7.2.17

OS:

Linux

Private report:

CVE-ID:

None

View Developer Edit

[2019-04-29 13:31 UTC] roger at tecnofit dot com dot br

Description:
------------
HTTP headers don't show up in $_SERVER if their case isn't capitalised.

Send the `Authorization` header to a script:
$_SERVER['HTTP_AUTHORIZATION'] will have your string.
Send the `authorization` (lowercase A) header to a script:
$_SERVER['HTTP_AUTHORIZATION'] will be null.

Some libs (flutter) and langs (dart) force lowercase headers relying on the RFC that states HTTP Headers are case-insentive, and marked the issue as "won't fix" using the RFC argument. This caused some clients to be locked out of our PHP APIs for now.

Patches

Pull Requests

Pull requests:

protect master branches except for the pecl repos against force pushes (karma/4)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2019-04-29 14:38 UTC] spam2 at rhsoft dot net

that's likely because it's how arrays are working by definition and there is no magic making superglobals behave different

php > $x=['a'=>1, 'A'=>2]; print_r($x);
Array
(
    [a] => 1
    [A] => 2
)

does the header not show up at all or is your code naive and only checks for HTTP_AUTHORIZATION in uppercase form?

additionally headers in HTTP2 are lowercase by definition as you can see below and i doubt that only applies to response-headers (that's a proxy and "x-response-time" from the backend for sure comes as "X-Response-Time"

HTTP/2 200
date: Mon, 29 Apr 2019 14:33:56 GMT
strict-transport-security: max-age=31536000
content-security-policy: script-src 'self' 'unsafe-inline' 'unsafe-eval';
x-frame-options: SAMEORIGIN
etag: 68fefde8d07528f48429f3f96ca70680
cache-control: private
last-modified: Mon, 28 Nov 2016 16:55:29 GMT
vary: Accept-Encoding,User-Agent
x-content-type-options: nosniff
x-response-time: D=5403 us
content-type: text/html; charset=ISO-8859-1
age: 0

[2019-04-29 14:57 UTC] nikic@php.net

Which SAPI are you using? Are PHP_AUTH_USER and PHP_AUTH_PW set?

[2019-04-29 18:37 UTC] roger at tecnofit dot com dot br

The code checks for $_SERVER['HTTP_AUTHORIZATION'] only, but it makes no sense for me to check for $_SERVER['HTTP_aUTHORIZATION'] seeing as the only letter that has changed is `A`, all http headers come in all uppercase when recognized and prefixed with `HTTP_` in the $_SERVER var, so I don't think it's script problem.

[2019-12-14 04:55 UTC] braxtonreed420 at hotmail dot com

The following pull request has been associated:

Patch Name: protect master branches except for the pecl repos against force pushes
On GitHub:  https://github.com/php/karma/pull/4
Patch:      https://github.com/php/karma/pull/4.patch

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon Oct 27 12:00:02 2025 UTC