php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77953 Headers are case-sensitive to $_SERVER
Submitted: 2019-04-29 13:31 UTC Modified: 2019-04-29 14:57 UTC
Votes:7
Avg. Score:4.1 ± 1.5
Reproduced:6 of 6 (100.0%)
Same Version:3 (50.0%)
Same OS:3 (50.0%)
From: roger at tecnofit dot com dot br Assigned:
Status: Open Package: Apache2 related
PHP Version: 7.2.17 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: roger at tecnofit dot com dot br
New email:
PHP Version: OS:

 

 [2019-04-29 13:31 UTC] roger at tecnofit dot com dot br
Description:
------------
HTTP headers don't show up in $_SERVER if their case isn't capitalised.

Send the `Authorization` header to a script:
$_SERVER['HTTP_AUTHORIZATION'] will have your string.
Send the `authorization` (lowercase A) header to a script:
$_SERVER['HTTP_AUTHORIZATION'] will be null.

Some libs (flutter) and langs (dart) force lowercase headers relying on the RFC that states HTTP Headers are case-insentive, and marked the issue as "won't fix" using the RFC argument. This caused some clients to be locked out of our PHP APIs for now.


Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-04-29 14:38 UTC] spam2 at rhsoft dot net
that's likely because it's how arrays are working by definition and there is no magic making superglobals behave different

php > $x=['a'=>1, 'A'=>2]; print_r($x);
Array
(
    [a] => 1
    [A] => 2
)

does the header not show up at all or is your code naive and only checks for HTTP_AUTHORIZATION in uppercase form?

additionally headers in HTTP2 are lowercase by definition as you can see below and i doubt that only applies to response-headers (that's a proxy and "x-response-time" from the backend for sure comes as "X-Response-Time"

HTTP/2 200
date: Mon, 29 Apr 2019 14:33:56 GMT
strict-transport-security: max-age=31536000
content-security-policy: script-src 'self' 'unsafe-inline' 'unsafe-eval';
x-frame-options: SAMEORIGIN
etag: 68fefde8d07528f48429f3f96ca70680
cache-control: private
last-modified: Mon, 28 Nov 2016 16:55:29 GMT
vary: Accept-Encoding,User-Agent
x-content-type-options: nosniff
x-response-time: D=5403 us
content-type: text/html; charset=ISO-8859-1
age: 0
 [2019-04-29 14:57 UTC] nikic@php.net
Which SAPI are you using? Are PHP_AUTH_USER and PHP_AUTH_PW set?
 [2019-04-29 18:37 UTC] roger at tecnofit dot com dot br
The code checks for $_SERVER['HTTP_AUTHORIZATION'] only, but it makes no sense for me to check for $_SERVER['HTTP_aUTHORIZATION'] seeing as the only letter that has changed is `A`, all http headers come in all uppercase when recognized and prefixed with `HTTP_` in the $_SERVER var, so I don't think it's script problem.
 [2019-12-14 04:55 UTC] braxtonreed420 at hotmail dot com
The following pull request has been associated:

Patch Name: protect master branches except for the pecl repos against force pushes
On GitHub:  https://github.com/php/karma/pull/4
Patch:      https://github.com/php/karma/pull/4.patch
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 14:01:30 2024 UTC