|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78200 php-fpm doesn't prevent bogus Status-Line header to be send
Submitted: 2019-06-23 15:03 UTC Modified: 2019-06-27 12:05 UTC
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: vnsavage at gmail dot com Assigned:
Status: Verified Package: *General Issues
PHP Version: 7.2.19 OS: Debian
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: vnsavage at gmail dot com
New email:
PHP Version: OS:


 [2019-06-23 15:03 UTC] vnsavage at gmail dot com
PHP-FPM will not validate that the HTTP status line set in PHP is correct as described in rfc2616. Thus it will forward an incorrect CGI "Status:" response (which doesn't conform to rfc3875).

Test script:
Set this incorrect header from PHP: 

header( 'HTTP/1.1 Service Unavailable', true, 503 );

Then in sapi/fpm/fpm/fpm_main.c we have

                len = slprintf(buf, sizeof(buf), "Status:%s\r\n", s);

which results in "Status: Service Unavailable" sent to the CGI socket.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2019-06-27 12:01 UTC]
-Status: Open +Status: Verified
 [2019-06-27 12:01 UTC]
nginx responds with "502 Bad Gateway" and logs

> upstream sent invalid status "Service Unavailable" while reading response header from upstream,

While this is documented as such, maybe the header should validated before being send out
 [2019-06-27 12:05 UTC]
-Summary: php-fpm status parsing +Summary: php-fpm doesn't prevent bogus Status-Line header to be send
 [2023-05-25 11:51 UTC] loreydsyuyu322 at gmail dot com
That was so amazing. (
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Jul 12 16:01:32 2024 UTC