php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #81645 header() allows arbitrary status codes (which may overflow)
Submitted: 2021-11-21 05:51 UTC Modified: 2021-11-22 15:39 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: ive_jihwan at kaist dot ac dot kr Assigned:
Status: Open Package: HTTP related
PHP Version: 8.0.13 OS: Ubuntu 20.04
Private report: No CVE-ID: None
View Developer Edit
 [2021-11-21 05:51 UTC] ive_jihwan at kaist dot ac dot kr 
Description:
------------
There is a special feature in header() function that updates both HTTP status line and response code when the input is starts with "HTTP/" (case insensitive),

header() function tries to parse the new HTTP status code from input string by calling atoi() from the first non-whitespace substring after string "HTTP/". And updates the response code as atoi()'s result, and copies the HTTP status line to the raw response without any validation.

https://github.com/php/php-src/blob/master/main/SAPI.c#L550

This can cause following two problems.
1. Very wrong format of HTTP status line (which can cause variant problems in browsers)
2. Mismatch of the SAPI response code and HTTP status line due to the overflow of atoi



Test script:
---------------
<?php
header("HTTP/1.1 4294967496 aaa");

Expected result:
----------------
header() should be failed

Actual result:
--------------
(built-in PHP server)
[Sun Nov 21 05:39:04 2021] 127.0.0.1:43808 [200]: GET /sc
[Sun Nov 21 05:39:04 2021] 127.0.0.1:43808 Closing

(Raw HTTP response message)
HTTP/1.1 4294967496 aaa
Date: Sun, 21 Nov 2021 05:39:04 GMT
Connection: close
X-Powered-By: PHP/8.0.13
Content-type: text/html; charset=UTF-8

(curl)
$ curl localhost:1234/sc.php
curl: (1) Unsupported HTTP version in response

(Chrome)
https://imgur.com/a/DQT8qqZ

(Firefox)
https://imgur.com/naIbwVV

(Safari)
https://imgur.com/gtADjss

Patches

pHqghUme (last revision 2023-02-08 00:03 UTC by sample at email dot tst)

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-11-21 05:59 UTC] ive_jihwan at kaist dot ac dot kr 
There was a mistake in writing a report, During all of report, HTTP version must be missing. Thus, Test script should be changed to 

<?php
header("HTTP/ 4294967496 aaa");

and actual result from raw response message also must be changed to
HTTP/ 4294967496 aaa
Date: Sun, 21 Nov 2021 05:39:04 GMT
Connection: close
X-Powered-By: PHP/8.0.13
Content-type: text/html; charset=UTF-8
 [2021-11-22 15:26 UTC] cmb@php.net
-Summary: Integer overflow makes difference between HTTP status line and response code +Summary: header() allows arbitrary status codes (which may overflow) -Type: Bug +Type: Feature/Change Request
 [2021-11-22 15:26 UTC] cmb@php.net 
I can reproduce even with the HTTP version (e.g. HTTP/1.1).
However, while I agree that the parsing is sloppy, I don't see
this as a real bug.  After all, HTTP status codes are supposed to
consist of three digits[1], and passing arbitrary status codes is
just not caught by PHP.  There is not much to prevent us from
improving the current behavior, though.  A pull request[2] would
be welcome!

[1] <https://datatracker.ietf.org/doc/html/rfc7230#section-3.1.2>
[2] <https://github.com/php/php-src#contributing>
 [2021-11-22 15:39 UTC] ive_jihwan at kaist dot ac dot kr 
Thanks for reply!

Then I'm going to write a fix of it and let me make a PR :)
 [2021-11-23 08:35 UTC] ive_jihwan at kaist dot ac dot kr 
The following pull request has been associated:

Patch Name: Update #81645 : header() checks the validity of HTTP status code
On GitHub:  https://github.com/php/php-src/pull/7676
Patch:      https://github.com/php/php-src/pull/7676.patch
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Mon Oct 27 11:00:01 2025 UTC