php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #81645 header() allows arbitrary status codes (which may overflow)
Submitted: 2021-11-21 05:51 UTC Modified: 2021-11-22 15:39 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: ive_jihwan at kaist dot ac dot kr Assigned:
Status: Open Package: HTTP related
PHP Version: 8.0.13 OS: Ubuntu 20.04
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2021-11-21 05:51 UTC] ive_jihwan at kaist dot ac dot kr
Description:
------------
There is a special feature in header() function that updates both HTTP status line and response code when the input is starts with "HTTP/" (case insensitive),

header() function tries to parse the new HTTP status code from input string by calling atoi() from the first non-whitespace substring after string "HTTP/". And updates the response code as atoi()'s result, and copies the HTTP status line to the raw response without any validation.

https://github.com/php/php-src/blob/master/main/SAPI.c#L550

This can cause following two problems.
1. Very wrong format of HTTP status line (which can cause variant problems in browsers)
2. Mismatch of the SAPI response code and HTTP status line due to the overflow of atoi



Test script:
---------------
<?php
header("HTTP/1.1 4294967496 aaa");

Expected result:
----------------
header() should be failed

Actual result:
--------------
(built-in PHP server)
[Sun Nov 21 05:39:04 2021] 127.0.0.1:43808 [200]: GET /sc
[Sun Nov 21 05:39:04 2021] 127.0.0.1:43808 Closing

(Raw HTTP response message)
HTTP/1.1 4294967496 aaa
Date: Sun, 21 Nov 2021 05:39:04 GMT
Connection: close
X-Powered-By: PHP/8.0.13
Content-type: text/html; charset=UTF-8

(curl)
$ curl localhost:1234/sc.php
curl: (1) Unsupported HTTP version in response

(Chrome)
https://imgur.com/a/DQT8qqZ

(Firefox)
https://imgur.com/naIbwVV

(Safari)
https://imgur.com/gtADjss



Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-11-21 05:59 UTC] ive_jihwan at kaist dot ac dot kr
There was a mistake in writing a report, During all of report, HTTP version must be missing. Thus, Test script should be changed to 

<?php
header("HTTP/ 4294967496 aaa");

and actual result from raw response message also must be changed to
HTTP/ 4294967496 aaa
Date: Sun, 21 Nov 2021 05:39:04 GMT
Connection: close
X-Powered-By: PHP/8.0.13
Content-type: text/html; charset=UTF-8
 [2021-11-22 15:26 UTC] cmb@php.net
-Summary: Integer overflow makes difference between HTTP status line and response code +Summary: header() allows arbitrary status codes (which may overflow) -Type: Bug +Type: Feature/Change Request
 [2021-11-22 15:26 UTC] cmb@php.net
I can reproduce even with the HTTP version (e.g. HTTP/1.1).
However, while I agree that the parsing is sloppy, I don't see
this as a real bug.  After all, HTTP status codes are supposed to
consist of three digits[1], and passing arbitrary status codes is
just not caught by PHP.  There is not much to prevent us from
improving the current behavior, though.  A pull request[2] would
be welcome!

[1] <https://datatracker.ietf.org/doc/html/rfc7230#section-3.1.2>
[2] <https://github.com/php/php-src#contributing>
 [2021-11-22 15:39 UTC] ive_jihwan at kaist dot ac dot kr
Thanks for reply!

Then I'm going to write a fix of it and let me make a PR :)
 [2021-11-23 08:35 UTC] ive_jihwan at kaist dot ac dot kr
The following pull request has been associated:

Patch Name: Update #81645 : header() checks the validity of HTTP status code
On GitHub:  https://github.com/php/php-src/pull/7676
Patch:      https://github.com/php/php-src/pull/7676.patch
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Fri Jan 21 18:03:34 2022 UTC