Description:
------------
RFC7230, which is released in June 2014, explicitly specifies HTTP-version field as starting with "HTTP" case-sensitively.
https://datatracker.ietf.org/doc/html/rfc7230#section-2.6

However, PHP's header() function compares first 5 bytes with "HTTP/" case insensitively, and copies whole input line to output message line. This let clients misunderstand HTTP version.

https://github.com/php/php-src/blob/master/main/SAPI.c#L755

It can be patched by fixing starting 4 bytes as uppercase "HTTP" or change strncasecmp to strncmp which drops a support standards before RFC7230.

Test script:
---------------
<?php

header("http/1.1 200 OK");


Expected result:
----------------
Either of followings.

- header() throws an warning/error that notices HTTP/1.1 or higher must use uppercase "HTTP"

- Internally convert to uppercase HTTP

Actual result:
--------------
(Raw HTTP response message)
http/1.1 200 OK
Date: Sun, 21 Nov 2021 06:38:10 GMT
Connection: close
X-Powered-By: PHP/8.0.13
Content-type: text/html; charset=UTF-8

(curl in verbose, downgraded HTTP1.0)
> GET /http11.php HTTP/1.1
> Host: localhost:1234
> User-Agent: curl/7.68.0
> Accept: */*
>
* HTTP 1.0, assume close after body
< http/1.1 200 OK
< Host: localhost:1234
< Date: Sun, 21 Nov 2021 06:35:19 GMT
< Connection: close
< X-Powered-By: PHP/8.0.13
< Content-type: text/html; charset=UTF-8

(Chrome)
Translate it as HTTP/1.1

(Safari)
Translate it as HTTP/1.1

(Firefox)
Fail to translate it as valid HTTP

For browser screenshots, here is a link: https://imgur.com/a/PtrmfTA