#38369 [Opn->WFx]: Status: header incorrectly handled in CGI/FastCGI mode :: ASPN Mail Archive

Recent Messages
List Archives
About the List
List Leaders
Subscription Options

View Subscriptions
Help

View by Topic
ActiveState
.NET Framework
Open Source
Perl
PHP
Python
Tcl
Web Services
XML & XSLT

View by Category
Database
General
SOAP
System Administration
Tools
User Interfaces
Web Programming
XML Programming

MyASPN >> Mail Archive >> php-dev

php-dev

#38369 [Opn->WFx]: Status: header incorrectly handled in CGI/FastCGI mode
by mike other posts by this author
Aug 7 2006 8:11AM messages near this date

#38369 [WFx]: Status: header incorrectly handled in CGI/FastCGI mode | [PHP-DEV] HTTP-Only Patch

ID:               38369
 Updated by:       mike@[...].net
 Reported By:      chris at mysociety dot org
-Status:           Open
+Status:           Wont fix
 Bug Type:         CGI related
-Operating System: all
+Operating System: *
-PHP Version:      4.4.3
+PHP Version:      *
 New Comment:

The SAPI independant way to issue an HTTP response code in PHP is a
"HTTP/1.x NNN" header.



Previous Comments:
------------------------------------------------------------------------

[2006-08-07 15:04:25] chris at mysociety dot org

Description:
------------
PHP does not correctly handle calls such as header("Status: ..."). In
CGI mode it should process such a call as a changing the HTTP response
code (consistent with its handling of, e.g., header("Location: ...")).
However, at present there is no special handling of the Status: header.
That's why sending Status: and then Location: causes a duplicate header:
the Location: header is handled as a special case and causes
sapi_update_response_code(302) to be called, whereas the Status: header
is just added to the list of headers to be sent back to the web server
(see bug #33225 incorrectly marked "bogus", I think because the
reviewer doesn't understand CGI). Note that sending two different
Status: headers explicitly with header("Status: ...") doesn't give this
error, because the default operation is to *replace* the header, not add
a new one.

Here is a patch to fix the bug in 4.4.3; it also applies to 5.1.4 and
probably other versions too:

--- php-4.4.3-orig/main/SAPI.c  2006-01-01 13:46:59.000000000 +0000
+++ php-4.4.3/main/SAPI.c       2006-08-07 15:49:15.000000000 +0100
@@ -611,6 +611,14 @@
                                        /* Return a Found Redirect if
one is not already specified */
                                        sapi_update_response_code(302
TSRMLS_CC);
                                }
+                       } else if (!STRCASECMP(header_line, "Status"))
{
+                               int code;
+                               if (1 == sscanf(colon_offset + 1, "%d",
&code)
+                                       && code > = 100 && code < 1000)
{
+                                       /* Also want to suppress this
header. */
+                                       sapi_update_response_code(code
TSRMLS_CC);
+                                       return SUCCESS;
+                               } /* else error? */
                        } else if (!STRCASECMP(header_line,
"WWW-Authenticate")) { /* HTTP Authentication */
 
                                sapi_update_response_code(401
TSRMLS_CC); /* authentication-required */


-- I've also put a copy of this at
http://bitter.ukcod.org.uk/~chris/tmp/20060807/php-4.4.3-fix-duplicate-Status:.patch
 in case this form isn't transparent.

Reproduce code:
---------------
<?
header("Status: 404");
header("Location: http://www.google.com/");
?> 

Expected result:
----------------
Redirect to http://www.google.com/

Actual result:
--------------
Internal server error because PHP sends the Status: header twice,
violating the CGI spec.


------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=38369&edit=1

Thread:

Chris At Mysociety Dot Org

mike

Chris At Mysociety Dot Org

mike