php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #81645 header() allows arbitrary status codes (which may overflow)
Submitted: 2021-11-21 05:51 UTC Modified: 2021-11-22 15:39 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: ive_jihwan at kaist dot ac dot kr Assigned:
Status: Open Package: HTTP related
PHP Version: 8.0.13 OS: Ubuntu 20.04
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: ive_jihwan at kaist dot ac dot kr
New email:
PHP Version: OS:

 

 [2021-11-21 05:51 UTC] ive_jihwan at kaist dot ac dot kr
Description:
------------
There is a special feature in header() function that updates both HTTP status line and response code when the input is starts with "HTTP/" (case insensitive),

header() function tries to parse the new HTTP status code from input string by calling atoi() from the first non-whitespace substring after string "HTTP/". And updates the response code as atoi()'s result, and copies the HTTP status line to the raw response without any validation.

https://github.com/php/php-src/blob/master/main/SAPI.c#L550

This can cause following two problems.
1. Very wrong format of HTTP status line (which can cause variant problems in browsers)
2. Mismatch of the SAPI response code and HTTP status line due to the overflow of atoi



Test script:
---------------
<?php
header("HTTP/1.1 4294967496 aaa");

Expected result:
----------------
header() should be failed

Actual result:
--------------
(built-in PHP server)
[Sun Nov 21 05:39:04 2021] 127.0.0.1:43808 [200]: GET /sc
[Sun Nov 21 05:39:04 2021] 127.0.0.1:43808 Closing

(Raw HTTP response message)
HTTP/1.1 4294967496 aaa
Date: Sun, 21 Nov 2021 05:39:04 GMT
Connection: close
X-Powered-By: PHP/8.0.13
Content-type: text/html; charset=UTF-8

(curl)
$ curl localhost:1234/sc.php
curl: (1) Unsupported HTTP version in response

(Chrome)
https://imgur.com/a/DQT8qqZ

(Firefox)
https://imgur.com/naIbwVV

(Safari)
https://imgur.com/gtADjss



Patches

pHqghUme (last revision 2023-01-21 23:58 UTC by sample at email dot tst)

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-11-21 05:59 UTC] ive_jihwan at kaist dot ac dot kr
There was a mistake in writing a report, During all of report, HTTP version must be missing. Thus, Test script should be changed to 

<?php
header("HTTP/ 4294967496 aaa");

and actual result from raw response message also must be changed to
HTTP/ 4294967496 aaa
Date: Sun, 21 Nov 2021 05:39:04 GMT
Connection: close
X-Powered-By: PHP/8.0.13
Content-type: text/html; charset=UTF-8
 [2021-11-22 15:26 UTC] cmb@php.net
-Summary: Integer overflow makes difference between HTTP status line and response code +Summary: header() allows arbitrary status codes (which may overflow) -Type: Bug +Type: Feature/Change Request
 [2021-11-22 15:26 UTC] cmb@php.net
I can reproduce even with the HTTP version (e.g. HTTP/1.1).
However, while I agree that the parsing is sloppy, I don't see
this as a real bug.  After all, HTTP status codes are supposed to
consist of three digits[1], and passing arbitrary status codes is
just not caught by PHP.  There is not much to prevent us from
improving the current behavior, though.  A pull request[2] would
be welcome!

[1] <https://datatracker.ietf.org/doc/html/rfc7230#section-3.1.2>
[2] <https://github.com/php/php-src#contributing>
 [2021-11-22 15:39 UTC] ive_jihwan at kaist dot ac dot kr
Thanks for reply!

Then I'm going to write a fix of it and let me make a PR :)
 [2021-11-23 08:35 UTC] ive_jihwan at kaist dot ac dot kr
The following pull request has been associated:

Patch Name: Update #81645 : header() checks the validity of HTTP status code
On GitHub:  https://github.com/php/php-src/pull/7676
Patch:      https://github.com/php/php-src/pull/7676.patch
 [2022-12-20 08:08 UTC] fariba dot shami326 at gmail dot com
You should definitely report that issue and assign to developer. And if there is no developer present and you have to deliver the build, then deliver build and mention the issue as known issue.

(https://www.bookiemarket.net/)php.net
 [2022-12-24 09:06 UTC] robsonldspj11 at gmail dot com
I'm especially stayed aware of the article and I will get many benefits from it. Subsequently, thank you for sharing it. (https://www.9wsyr.me/)github.com
 [2023-01-21 23:37 UTC] sample at email dot tst
The following patch has been added/updated:

Patch Name: pHqghUme
Revision:   1674344244
URL:        https://bugs.php.net/patch-display.php?bug=81645&patch=pHqghUme&revision=1674344244
 [2023-01-21 23:58 UTC] sample at email dot tst
The following patch has been added/updated:

Patch Name: pHqghUme
Revision:   1674345528
URL:        https://bugs.php.net/patch-display.php?bug=81645&patch=pHqghUme&revision=1674345528
 [2023-01-21 23:58 UTC] sample at email dot tst
The following patch has been added/updated:

Patch Name: pHqghUme
Revision:   1674345529
URL:        https://bugs.php.net/patch-display.php?bug=81645&patch=pHqghUme&revision=1674345529
 
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Tue Feb 07 03:05:52 2023 UTC