|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78844 FPM does not support multiple HTTP request headers with the same name
Submitted: 2019-11-20 17:39 UTC Modified: 2023-02-09 16:31 UTC
Avg. Score:3.8 ± 0.7
Reproduced:4 of 4 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (25.0%)
From: mikk150 at gmail dot com Assigned: bukka (profile)
Status: Not a bug Package: FPM related
PHP Version: 7.3.11 OS: Linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: mikk150 at gmail dot com
New email:
PHP Version: OS:


 [2019-11-20 17:39 UTC] mikk150 at gmail dot com
PHP $_SERVER['HTTP_*'] superglobal and getallheaders() does not actually give all headers.
If you have multiple header lines with same name, each SAPI does totally different thing(and all of them are wrong)

If I make request:
GET / HTTP/1.1
Forwarded: for=,for=;,;proto=https,proto=http
Forwarded: for=;;proto=http

I get 3 different responses based on SAPI

FPM only keeps last header
php -s only keeps first header
apache concatenates them with ,

PHP should implement new method to get all headers OR implement some class that has method to get all headers


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2019-11-20 18:44 UTC] mikk150 at gmail dot com
-Summary: Ability to get all client headers +Summary: Ability to get all client sent HTTP headers
 [2019-11-20 18:44 UTC] mikk150 at gmail dot com
summary more understandable
 [2019-11-20 19:03 UTC]
-Summary: Ability to get all client sent HTTP headers +Summary: FPM does not support multiple HTTP request headers with the same name -Type: Feature/Change Request +Type: Bug -Package: *Web Server problem +Package: FPM related
 [2019-11-20 19:03 UTC]
The ability to get headers is highly dependent on the SAPI. Apache's works nicely, but php -s is just a quick development server that is not going to be suitable for all purposes.

So really, the issue here is that php-fpm doesn't properly handle multiple headers. The HTTP spec requires that multiple headers only be allowed when their values can be combined into comma-separated lists, which means $_SERVER and getallheaders() are still sufficient.
 [2019-11-20 20:06 UTC] mikk150 at gmail dot com
Ah, I can see that now, I actually understood incorrectly.

I undestood that
GET / HTTP/1.1

would become
GET / HTTP/1.1

but it actually states that each field-value(seperated by semicolon) MUST NOT occur more than once per field-value

which means Apache is correct
GET / HTTP/1.1

As this is actually correct
 [2023-02-09 16:31 UTC]
-Status: Open +Status: Not a bug -Assigned To: +Assigned To: bukka
 [2023-02-09 16:31 UTC]
This is actually a server issue as it should convert it to the comma separated list as CGI spec does not allow multiple headers with the same name. This is actually what was fixed in nginx relatively recently:
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Fri Mar 24 00:03:44 2023 UTC