|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #81646 header() can violate HTTP RFC
Submitted: 2021-11-21 06:45 UTC Modified: -
Avg. Score:2.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: ive_jihwan at kaist dot ac dot kr Assigned:
Status: Open Package: *Network Functions
PHP Version: 8.0.13 OS: any
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2021-11-21 06:45 UTC] ive_jihwan at kaist dot ac dot kr
RFC7230, which is released in June 2014, explicitly specifies HTTP-version field as starting with "HTTP" case-sensitively.

However, PHP's header() function compares first 5 bytes with "HTTP/" case insensitively, and copies whole input line to output message line. This let clients misunderstand HTTP version.

It can be patched by fixing starting 4 bytes as uppercase "HTTP" or change strncasecmp to strncmp which drops a support standards before RFC7230.

Test script:

header("http/1.1 200 OK");

Expected result:
Either of followings.

- header() throws an warning/error that notices HTTP/1.1 or higher must use uppercase "HTTP"

- Internally convert to uppercase HTTP

Actual result:
(Raw HTTP response message)
http/1.1 200 OK
Date: Sun, 21 Nov 2021 06:38:10 GMT
Connection: close
X-Powered-By: PHP/8.0.13
Content-type: text/html; charset=UTF-8

(curl in verbose, downgraded HTTP1.0)
> GET /http11.php HTTP/1.1
> Host: localhost:1234
> User-Agent: curl/7.68.0
> Accept: */*
* HTTP 1.0, assume close after body
< http/1.1 200 OK
< Host: localhost:1234
< Date: Sun, 21 Nov 2021 06:35:19 GMT
< Connection: close
< X-Powered-By: PHP/8.0.13
< Content-type: text/html; charset=UTF-8

Translate it as HTTP/1.1

Translate it as HTTP/1.1

Fail to translate it as valid HTTP

For browser screenshots, here is a link:


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2022-12-20 09:02 UTC] robertsonlpj11 at gmail dot com
This article is truly astounding. Appreciative for sharing. A commitment of appreciation is all together for the association, keep on sharing such an information. (
 [2022-12-29 08:34 UTC] marlynrasavong at gmail dot com
Did you have got any result for this bug ? (
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Wed Feb 01 23:05:51 2023 UTC