|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81305 Development Webserver Drops Requests With "Upgrade" Header
Submitted: 2021-07-28 03:37 UTC Modified: 2021-07-29 10:21 UTC
From: parsonswy at gmail dot com Assigned: cmb (profile)
Status: Closed Package: Built-in web server
PHP Version: 7.4 OS: Windows
Private report: No CVE-ID: None
 [2021-07-28 03:37 UTC] parsonswy at gmail dot com
The development server appears to discard any HTTP requests that have the "Upgrade" header as malformed. I couldn't find information on what HTTP spec the server is built to support, if any. Actually implementing the HTTP upgrade protocol seems overkill for the scope of the server. Having it at least accept the request and ignore the upgrade offer I think is still spec compliant and preferable to generic discard and socket close. Alternatively, responding with HTTP/BAD_REQUEST and documenting the behavior is a more transparent option.

I have confirmed that my client was indicating HTTP/1.1 so the 'Upgrade' header should still be legal on the request. I don't actually need to use HTTP/2, I had a Java client that I was testing which requested an upgrade by default and this was a difficult issue to debug.

Tested on PHP/8.0.3 (Native Windows & alpine docker), PHP/8.0.8 alpine docker.

Test script:
Succeeds: curl "http://localhost:8081" --trace-ascii - -X GET

Fails "Invalid request (Malformed HTTP request)": curl "http://localhost:8081" --trace-ascii - -X GET -H "Upgrade: HTTP/2.0" -H "Connection: upgrade"


Add a Patch

Pull Requests

Pull requests:

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2021-07-28 13:58 UTC]
-Status: Open +Status: Verified -PHP Version: 8.0.8 +PHP Version: 7.4 -Assigned To: +Assigned To: cmb
 [2021-07-28 13:58 UTC]
Fun fact: while our HTTP parser has support for upgrade, this
isn't supported by our Webserver code.
 [2021-07-29 10:21 UTC]
The following pull request has been associated:

Patch Name: Fix #81305: Built-in Webserver Drops Requests With "Upgrade" Header
On GitHub:
 [2021-07-29 11:23 UTC]
Automatic comment on behalf of cmb69
Log: Fix #81305: Built-in Webserver Drops Requests With "Upgrade" Header
 [2021-07-29 11:23 UTC]
-Status: Verified +Status: Closed
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue May 28 18:01:32 2024 UTC