From: Operating system: Debian Lenny PHP version: 5.3.2 Package: HTTP related Bug Type: Bug Bug description:header("Location:") changing HTTP status
Description: ------------ Please see bug #25044 (http://bugs.php.net/bug.php?id=25044), where this issue has previously been addressed to some extent. When this previous bug was fixed, the fix simply involved adding the exact mentioned codes to an exception list for status response codes that are not overwritten upon sending a Location header. Now, 201, 301, 303, 305, and 307 do not overwrite the Response code. Nevertheless, all others still do. A more permanent fix would be not setting the status for ANY response code (very similar to the actual fix originally suggested for #25044). For backwards compatibility, you could set the response code if it has not already been set at the time that the Location header is set; but it should never be overwritten if it already has been set. HTTP Responses 503 and 426 come immediately to mind as additional reasonable cases for adding a Location header; but in fact, neither RFC 1945 (HTTP/1.0), RFC 2616 (HTTP/1.1), RFC 2817 (Upgrading to TLS Within HTTP/1.1), nor any other IETF or other relevant standard limits the Location header to any particular response, other than to recommend ("SHOULD") it for 301, 302, 303, 305 (could be read as "MUST"), 307, and suggest it for 201 (and "intentionally undefined" by RFC 4918 (HTTP Extensions for Web Distributed Authoring and Versioning (WebDAV)) for 207). So preventing any status code from having a Location header is undesirable (however silly it may be for some certain responses). This would future-proof the code in question against any future changes that do not involve a mandatory or forbidden Location: field (for which the current code would most likely require patching anyway). (To be fair, this is documented behavior, even if it is non-standards-compliant. Mind you, the documentation is contradictory; http_response_code apparently "Forces the HTTP response code to the specified value.", but at the same time, "The second special case is the "Location:" header. Not only does it send this header back to the browser, but it also returns a REDIRECT (302) status code to the browser unless the 201 or a 3xx status code has already been set". It is also true that most current clients will ignore a Location header for most non-3xx responses, but that is unimportant.) I would not consider this issue to have particular security concerns. Test script: --------------- header("HTTP/1.1 503 Service Unavailable"); header("Location: http://www.php.net/"); Expected result: ---------------- HTTP Response: HTTP/1.1 503 Service Unavailable Location: http://www.php.net/ Actual result: -------------- HTTP Response: HTTP/1.1 302 Found Location: http://www.php.net/ -- Edit bug report at http://bugs.php.net/bug.php?id=51749&edit=1 -- Try a snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=51749&r=trysnapshot52 Try a snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=51749&r=trysnapshot53 Try a snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=51749&r=trysnapshot60 Fixed in SVN: http://bugs.php.net/fix.php?id=51749&r=fixed Fixed in SVN and need be documented: http://bugs.php.net/fix.php?id=51749&r=needdocs Fixed in release: http://bugs.php.net/fix.php?id=51749&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=51749&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=51749&r=needscript Try newer version: http://bugs.php.net/fix.php?id=51749&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=51749&r=support Expected behavior: http://bugs.php.net/fix.php?id=51749&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=51749&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=51749&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=51749&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=51749&r=php4 Daylight Savings: http://bugs.php.net/fix.php?id=51749&r=dst IIS Stability: http://bugs.php.net/fix.php?id=51749&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=51749&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=51749&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=51749&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=51749&r=mysqlcfg