|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #80849 HTTP Status header truncation
Submitted: 2021-03-09 18:36 UTC Modified: 2021-07-14 12:52 UTC
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: ben dot bidner at automattic dot com Assigned: cmb (profile)
Status: Closed Package: CGI/CLI related
PHP Version: 8.0.3 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
37 - 17 = ?
Subscribe to this entry?

 [2021-03-09 18:36 UTC] ben dot bidner at automattic dot com
`sapi_cgi_send_headers()` (in both `sapi/fpm/fpm/fpm_main.c` and `sapi/cgi/cgi_main.c`) will truncate HTTP Status headers larger than `SAPI_CGI_MAX_HEADER_LENGTH` in the following cases, potentially causing the trailing CR LF to be stripped.

	`len = slprintf(buf, SAPI_CGI_MAX_HEADER_LENGTH, "%s\r\n", SG(sapi_headers).http_status_line);`
	`len = slprintf(buf, sizeof(buf), "Status:%s\r\n", s);`
	`len = slprintf(buf, sizeof(buf), "Status: %d %s\r\n", SG(sapi_headers).http_response_code, err->str);`
	`len = slprintf(buf, sizeof(buf), "Status: %d\r\n", SG(sapi_headers).http_response_code);`

Removing the CR LFs and explicitly sending them after the header is sent (as per other headers in the code below this) should be sufficient to fix?

Test script:
header( 'HTTP/1.1 201 ' . str_repeat( 'A', 1011 ), true );

Actual result:
The example above will return the following headers

HTTP/1.1 201 AAA...AAAContent-type: text/html; charset=UTF-8
Server: nginx
Date: Tue, 09 Mar 2021 18:06:36 GMT
Connection: keep-alive


Add a Patch

Pull Requests

Pull requests:

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2021-03-28 22:35 UTC] avinash dot roshan dot dsilva at gmail dot com
would the following change do the trick?

len = slprintf(buf, sizeof(buf)+2, "Status:%s\r\n",s);
 [2021-07-14 12:52 UTC]
-Status: Open +Status: Verified -Package: FPM related +Package: CGI/CLI related -Assigned To: +Assigned To: cmb
 [2021-07-14 12:52 UTC]
The following pull request has been associated:

Patch Name: Fix #80849: HTTP Status header truncation
On GitHub:
 [2021-07-15 17:18 UTC]
Automatic comment on behalf of cmb69
Log: Fix #80849: HTTP Status header truncation
 [2021-07-15 17:18 UTC]
-Status: Verified +Status: Closed
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Apr 21 04:01:28 2024 UTC