php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81305 Development Webserver Drops Requests With "Upgrade" Header
Submitted: 2021-07-28 03:37 UTC Modified: 2021-07-29 10:21 UTC
From: parsonswy at gmail dot com Assigned: cmb (profile)
Status: Closed Package: Built-in web server
PHP Version: 7.4 OS: Windows
Private report: No CVE-ID: None
 [2021-07-28 03:37 UTC] parsonswy at gmail dot com
Description:
------------
The development server appears to discard any HTTP requests that have the "Upgrade" header as malformed. I couldn't find information on what HTTP spec the server is built to support, if any. Actually implementing the HTTP upgrade protocol seems overkill for the scope of the server. Having it at least accept the request and ignore the upgrade offer I think is still spec compliant and preferable to generic discard and socket close. Alternatively, responding with HTTP/BAD_REQUEST and documenting the behavior is a more transparent option.

I have confirmed that my client was indicating HTTP/1.1 so the 'Upgrade' header should still be legal on the request. I don't actually need to use HTTP/2, I had a Java client that I was testing which requested an upgrade by default and this was a difficult issue to debug.

Tested on PHP/8.0.3 (Native Windows & alpine docker), PHP/8.0.8 alpine docker.

Test script:
---------------
Succeeds: curl "http://localhost:8081" --trace-ascii - -X GET

Fails "Invalid request (Malformed HTTP request)": curl "http://localhost:8081" --trace-ascii - -X GET -H "Upgrade: HTTP/2.0" -H "Connection: upgrade"


Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-07-28 13:58 UTC] cmb@php.net
-Status: Open +Status: Verified -PHP Version: 8.0.8 +PHP Version: 7.4 -Assigned To: +Assigned To: cmb
 [2021-07-28 13:58 UTC] cmb@php.net
Fun fact: while our HTTP parser has support for upgrade, this
isn't supported by our Webserver code.
 [2021-07-29 10:21 UTC] cmb@php.net
The following pull request has been associated:

Patch Name: Fix #81305: Built-in Webserver Drops Requests With "Upgrade" Header
On GitHub:  https://github.com/php/php-src/pull/7316
Patch:      https://github.com/php/php-src/pull/7316.patch
 [2021-07-29 11:23 UTC] git@php.net
Automatic comment on behalf of cmb69
Revision: https://github.com/php/php-src/commit/d1ccb5bd0c7f6ed981e1d0bbfc42fbf5c7561b2c
Log: Fix #81305: Built-in Webserver Drops Requests With "Upgrade" Header
 [2021-07-29 11:23 UTC] git@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Mon Sep 27 14:03:37 2021 UTC