|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78844 FPM does not support multiple HTTP request headers with the same name
Submitted: 2019-11-20 17:39 UTC Modified: 2023-02-09 16:31 UTC
Avg. Score:3.8 ± 0.7
Reproduced:4 of 4 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (25.0%)
From: mikk150 at gmail dot com Assigned: bukka (profile)
Status: Not a bug Package: FPM related
PHP Version: 7.3.11 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
28 + 30 = ?
Subscribe to this entry?

 [2019-11-20 17:39 UTC] mikk150 at gmail dot com
PHP $_SERVER['HTTP_*'] superglobal and getallheaders() does not actually give all headers.
If you have multiple header lines with same name, each SAPI does totally different thing(and all of them are wrong)

If I make request:
GET / HTTP/1.1
Forwarded: for=,for=;,;proto=https,proto=http
Forwarded: for=;;proto=http

I get 3 different responses based on SAPI

FPM only keeps last header
php -s only keeps first header
apache concatenates them with ,

PHP should implement new method to get all headers OR implement some class that has method to get all headers


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2019-11-20 18:44 UTC] mikk150 at gmail dot com
-Summary: Ability to get all client headers +Summary: Ability to get all client sent HTTP headers
 [2019-11-20 18:44 UTC] mikk150 at gmail dot com
summary more understandable
 [2019-11-20 19:03 UTC]
-Summary: Ability to get all client sent HTTP headers +Summary: FPM does not support multiple HTTP request headers with the same name -Type: Feature/Change Request +Type: Bug -Package: *Web Server problem +Package: FPM related
 [2019-11-20 19:03 UTC]
The ability to get headers is highly dependent on the SAPI. Apache's works nicely, but php -s is just a quick development server that is not going to be suitable for all purposes.

So really, the issue here is that php-fpm doesn't properly handle multiple headers. The HTTP spec requires that multiple headers only be allowed when their values can be combined into comma-separated lists, which means $_SERVER and getallheaders() are still sufficient.
 [2019-11-20 20:06 UTC] mikk150 at gmail dot com
Ah, I can see that now, I actually understood incorrectly.

I undestood that
GET / HTTP/1.1

would become
GET / HTTP/1.1

but it actually states that each field-value(seperated by semicolon) MUST NOT occur more than once per field-value

which means Apache is correct
GET / HTTP/1.1

As this is actually correct
 [2023-02-09 16:31 UTC]
-Status: Open +Status: Not a bug -Assigned To: +Assigned To: bukka
 [2023-02-09 16:31 UTC]
This is actually a server issue as it should convert it to the comma separated list as CGI spec does not allow multiple headers with the same name. This is actually what was fixed in nginx relatively recently:
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Thu Nov 30 04:01:25 2023 UTC