PHP :: Bug #80849 :: HTTP Status header truncation

Bug #80849

HTTP Status header truncation

Submitted:

2021-03-09 18:36 UTC

Modified:

2021-07-14 12:52 UTC

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

ben dot bidner at automattic dot com

Assigned:

cmb (profile)

Status:

Closed

Package:

CGI/CLI related

PHP Version:

8.0.3

OS:

Private report:

CVE-ID:

None

View Developer Edit

[2021-03-09 18:36 UTC] ben dot bidner at automattic dot com

Description:
------------
`sapi_cgi_send_headers()` (in both `sapi/fpm/fpm/fpm_main.c` and `sapi/cgi/cgi_main.c`) will truncate HTTP Status headers larger than `SAPI_CGI_MAX_HEADER_LENGTH` in the following cases, potentially causing the trailing CR LF to be stripped.

	`len = slprintf(buf, SAPI_CGI_MAX_HEADER_LENGTH, "%s\r\n", SG(sapi_headers).http_status_line);`
	`len = slprintf(buf, sizeof(buf), "Status:%s\r\n", s);`
	`len = slprintf(buf, sizeof(buf), "Status: %d %s\r\n", SG(sapi_headers).http_response_code, err->str);`
	`len = slprintf(buf, sizeof(buf), "Status: %d\r\n", SG(sapi_headers).http_response_code);`

Removing the CR LFs and explicitly sending them after the header is sent (as per other headers in the code below this) should be sufficient to fix?

Test script:
---------------
<?php
header( 'HTTP/1.1 201 ' . str_repeat( 'A', 1011 ), true );
exit;

Actual result:
--------------
The example above will return the following headers

HTTP/1.1 201 AAA...AAAContent-type: text/html; charset=UTF-8
Server: nginx
Date: Tue, 09 Mar 2021 18:06:36 GMT
Connection: keep-alive

Patches

Pull Requests

Pull requests:

Fix #80849: HTTP Status header truncation (php-src/7238)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2021-03-28 22:35 UTC] avinash dot roshan dot dsilva at gmail dot com

would the following change do the trick?

```
len = slprintf(buf, sizeof(buf)+2, "Status:%s\r\n",s);
```

[2021-07-14 12:52 UTC] cmb@php.net

-Status: Open +Status: Verified -Package: FPM related +Package: CGI/CLI related -Assigned To: +Assigned To: cmb

[2021-07-14 12:52 UTC] cmb@php.net

The following pull request has been associated:

Patch Name: Fix #80849: HTTP Status header truncation
On GitHub:  https://github.com/php/php-src/pull/7238
Patch:      https://github.com/php/php-src/pull/7238.patch

[2021-07-15 17:18 UTC] git@php.net

Automatic comment on behalf of cmb69
Revision: https://github.com/php/php-src/commit/a054ef2aadd52238eb85d2e4c2b2b989e554a705
Log: Fix #80849: HTTP Status header truncation

[2021-07-15 17:18 UTC] git@php.net

-Status: Verified +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 12:01:29 2024 UTC