php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #81646 header() can violate HTTP RFC
Submitted: 2021-11-21 06:45 UTC Modified: -
Votes:2
Avg. Score:3.5 ± 1.5
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: ive_jihwan at kaist dot ac dot kr Assigned:
Status: Open Package: *Network Functions
PHP Version: 8.0.13 OS: any
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: ive_jihwan at kaist dot ac dot kr
New email:
PHP Version: OS:

 

 [2021-11-21 06:45 UTC] ive_jihwan at kaist dot ac dot kr 
Description:
------------
RFC7230, which is released in June 2014, explicitly specifies HTTP-version field as starting with "HTTP" case-sensitively.
https://datatracker.ietf.org/doc/html/rfc7230#section-2.6

However, PHP's header() function compares first 5 bytes with "HTTP/" case insensitively, and copies whole input line to output message line. This let clients misunderstand HTTP version.

https://github.com/php/php-src/blob/master/main/SAPI.c#L755

It can be patched by fixing starting 4 bytes as uppercase "HTTP" or change strncasecmp to strncmp which drops a support standards before RFC7230.

Test script:
---------------
<?php

header("http/1.1 200 OK");


Expected result:
----------------
Either of followings.

- header() throws an warning/error that notices HTTP/1.1 or higher must use uppercase "HTTP"

- Internally convert to uppercase HTTP

Actual result:
--------------
(Raw HTTP response message)
http/1.1 200 OK
Date: Sun, 21 Nov 2021 06:38:10 GMT
Connection: close
X-Powered-By: PHP/8.0.13
Content-type: text/html; charset=UTF-8

(curl in verbose, downgraded HTTP1.0)
> GET /http11.php HTTP/1.1
> Host: localhost:1234
> User-Agent: curl/7.68.0
> Accept: */*
>
* HTTP 1.0, assume close after body
< http/1.1 200 OK
< Host: localhost:1234
< Date: Sun, 21 Nov 2021 06:35:19 GMT
< Connection: close
< X-Powered-By: PHP/8.0.13
< Content-type: text/html; charset=UTF-8

(Chrome)
Translate it as HTTP/1.1

(Safari)
Translate it as HTTP/1.1

(Firefox)
Fail to translate it as valid HTTP

For browser screenshots, here is a link: https://imgur.com/a/PtrmfTA

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2022-12-20 09:02 UTC] robertsonlpj11 at gmail dot com 
This article is truly astounding. Appreciative for sharing. A commitment of appreciation is all together for the association, keep on sharing such an information. (https://www.mysainsburys.net/)github.com
 [2022-12-29 08:34 UTC] marlynrasavong at gmail dot com 
Did you have got any result for this bug ? (https://www.benefitscal.ltd/)github.com
 [2023-05-29 07:59 UTC] phamdinhkhangu315 at gmail dot com 
The header() function you mentioned appears to be related to PHP, where it is used to send raw HTTP headers. While it is possible to use the header() function in a way that violates the HTTP RFC (Request for Comments), it's important to note that it's not the function itself that violates the RFC, but rather the specific usage or the content of the headers being sent.

The HTTP RFC, particularly RFC 7230, defines the syntax and semantics of the HTTP protocol. It specifies how requests and responses should be formatted, including the structure and acceptable values for headers.

When using the header() function, it's crucial to ensure that the headers being sent comply with the HTTP RFC. Violations of the RFC can occur if the headers contain incorrect syntax, invalid characters, or inappropriate values. For example, sending a header with a malformed date or a header value that includes prohibited characters could be considered a violation.

It's important to follow the HTTP RFC guidelines to ensure proper communication between clients and servers. While the header() function itself doesn't enforce RFC compliance, it's the responsibility of the developer to use it correctly and send headers that adhere to the HTTP specifications.  (https://www.mcdvoice.onl/)github.com
 [2023-06-09 06:16 UTC] galiyo5302 at ozatvn dot com 
So, if you’re a Kroger employee, make sure to log in to feed.kroger.com regularly to stay updated and organized.Do you have any questions about the portal or how to use it? Feel free to leave a comment below and we’ll be happy to help!
 [2023-08-08 06:58 UTC] blooketjoinguide at gmail dot com 
Blooket Join Guide will provide you with all the information about Blooket like how to join Blooket, what the Blooket Code is, and how to use it, etc.

https://github.com/BlooketStephen
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 19 07:01:27 2024 UTC