php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #81646 header() can violate HTTP RFC
Submitted: 2021-11-21 06:45 UTC Modified: -
Votes:1
Avg. Score:2.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: ive_jihwan at kaist dot ac dot kr Assigned:
Status: Open Package: *Network Functions
PHP Version: 8.0.13 OS: any
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: ive_jihwan at kaist dot ac dot kr
New email:
PHP Version: OS:

 

 [2021-11-21 06:45 UTC] ive_jihwan at kaist dot ac dot kr
Description:
------------
RFC7230, which is released in June 2014, explicitly specifies HTTP-version field as starting with "HTTP" case-sensitively.
https://datatracker.ietf.org/doc/html/rfc7230#section-2.6

However, PHP's header() function compares first 5 bytes with "HTTP/" case insensitively, and copies whole input line to output message line. This let clients misunderstand HTTP version.

https://github.com/php/php-src/blob/master/main/SAPI.c#L755

It can be patched by fixing starting 4 bytes as uppercase "HTTP" or change strncasecmp to strncmp which drops a support standards before RFC7230.

Test script:
---------------
<?php

header("http/1.1 200 OK");


Expected result:
----------------
Either of followings.

- header() throws an warning/error that notices HTTP/1.1 or higher must use uppercase "HTTP"

- Internally convert to uppercase HTTP

Actual result:
--------------
(Raw HTTP response message)
http/1.1 200 OK
Date: Sun, 21 Nov 2021 06:38:10 GMT
Connection: close
X-Powered-By: PHP/8.0.13
Content-type: text/html; charset=UTF-8

(curl in verbose, downgraded HTTP1.0)
> GET /http11.php HTTP/1.1
> Host: localhost:1234
> User-Agent: curl/7.68.0
> Accept: */*
>
* HTTP 1.0, assume close after body
< http/1.1 200 OK
< Host: localhost:1234
< Date: Sun, 21 Nov 2021 06:35:19 GMT
< Connection: close
< X-Powered-By: PHP/8.0.13
< Content-type: text/html; charset=UTF-8

(Chrome)
Translate it as HTTP/1.1

(Safari)
Translate it as HTTP/1.1

(Firefox)
Fail to translate it as valid HTTP

For browser screenshots, here is a link: https://imgur.com/a/PtrmfTA

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2022-12-20 09:02 UTC] robertsonlpj11 at gmail dot com
This article is truly astounding. Appreciative for sharing. A commitment of appreciation is all together for the association, keep on sharing such an information. (https://www.mysainsburys.net/)github.com
 [2022-12-29 08:34 UTC] marlynrasavong at gmail dot com
Did you have got any result for this bug ? (https://www.benefitscal.ltd/)github.com
 
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Wed Feb 01 23:05:51 2023 UTC