php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #80849 HTTP Status header truncation
Submitted: 2021-03-09 18:36 UTC Modified: -
From: ben dot bidner at automattic dot com Assigned:
Status: Open Package: FPM related
PHP Version: 8.0.3 OS:
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2021-03-09 18:36 UTC] ben dot bidner at automattic dot com
Description:
------------
`sapi_cgi_send_headers()` (in both `sapi/fpm/fpm/fpm_main.c` and `sapi/cgi/cgi_main.c`) will truncate HTTP Status headers larger than `SAPI_CGI_MAX_HEADER_LENGTH` in the following cases, potentially causing the trailing CR LF to be stripped.

	`len = slprintf(buf, SAPI_CGI_MAX_HEADER_LENGTH, "%s\r\n", SG(sapi_headers).http_status_line);`
	`len = slprintf(buf, sizeof(buf), "Status:%s\r\n", s);`
	`len = slprintf(buf, sizeof(buf), "Status: %d %s\r\n", SG(sapi_headers).http_response_code, err->str);`
	`len = slprintf(buf, sizeof(buf), "Status: %d\r\n", SG(sapi_headers).http_response_code);`

Removing the CR LFs and explicitly sending them after the header is sent (as per other headers in the code below this) should be sufficient to fix?

Test script:
---------------
<?php
header( 'HTTP/1.1 201 ' . str_repeat( 'A', 1011 ), true );
exit;

Actual result:
--------------
The example above will return the following headers

HTTP/1.1 201 AAA...AAAContent-type: text/html; charset=UTF-8
Server: nginx
Date: Tue, 09 Mar 2021 18:06:36 GMT
Connection: keep-alive

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-03-28 22:35 UTC] avinash dot roshan dot dsilva at gmail dot com
would the following change do the trick?

```
len = slprintf(buf, sizeof(buf)+2, "Status:%s\r\n",s);
```
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Tue May 18 18:01:23 2021 UTC