php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Your comment was added to the bug successfully.
Request #81646 header() can violate HTTP RFC
Submitted: 2021-11-21 06:45 UTC Modified: -
Votes:3
Avg. Score:3.3 ± 1.2
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:1 (50.0%)
From: ive_jihwan at kaist dot ac dot kr Assigned:
Status: Open Package: *Network Functions
PHP Version: 8.0.13 OS: any
Private report: No CVE-ID: None
 [2021-11-21 06:45 UTC] ive_jihwan at kaist dot ac dot kr
Description:
------------
RFC7230, which is released in June 2014, explicitly specifies HTTP-version field as starting with "HTTP" case-sensitively.
https://datatracker.ietf.org/doc/html/rfc7230#section-2.6

However, PHP's header() function compares first 5 bytes with "HTTP/" case insensitively, and copies whole input line to output message line. This let clients misunderstand HTTP version.

https://github.com/php/php-src/blob/master/main/SAPI.c#L755

It can be patched by fixing starting 4 bytes as uppercase "HTTP" or change strncasecmp to strncmp which drops a support standards before RFC7230.

Test script:
---------------
<?php

header("http/1.1 200 OK");


Expected result:
----------------
Either of followings.

- header() throws an warning/error that notices HTTP/1.1 or higher must use uppercase "HTTP"

- Internally convert to uppercase HTTP

Actual result:
--------------
(Raw HTTP response message)
http/1.1 200 OK
Date: Sun, 21 Nov 2021 06:38:10 GMT
Connection: close
X-Powered-By: PHP/8.0.13
Content-type: text/html; charset=UTF-8

(curl in verbose, downgraded HTTP1.0)
> GET /http11.php HTTP/1.1
> Host: localhost:1234
> User-Agent: curl/7.68.0
> Accept: */*
>
* HTTP 1.0, assume close after body
< http/1.1 200 OK
< Host: localhost:1234
< Date: Sun, 21 Nov 2021 06:35:19 GMT
< Connection: close
< X-Powered-By: PHP/8.0.13
< Content-type: text/html; charset=UTF-8

(Chrome)
Translate it as HTTP/1.1

(Safari)
Translate it as HTTP/1.1

(Firefox)
Fail to translate it as valid HTTP

For browser screenshots, here is a link: https://imgur.com/a/PtrmfTA

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2024-07-22 09:00 UTC] wfev98765 at gmail dot com
This information is really helpful for who really needs this. I hope you will many more write post like this. (https://github.com)(https://www.aarp-mahjongg.com)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 14:01:32 2024 UTC