From: mnot at pobox dot com Operating system: Mac OS X 10.3.8 PHP version: 4.3.10 PHP Bug Type: Apache related Bug description: Erroneous Allow HTTP response header
Description: ------------ When using the Apache module, PHP installs the xbithack handler for text/html. This handler make the following change to r->allowed, which is what Apache uses to populate the Allowed header on responses that require it (e.g., to OPTIONS, 405 Method Not Allowed, 501 Not Implemented); r->allowed |= (1 << METHODS) - 1; This has the affect of adding *all* known HTTP methods to the list. Effectively, PHP is telling clients that it can handle all HTTP methods, even for resources that aren't actually parsed as PHP. This is also the case in php5. Reproduce code: --------------- mnot-laptop:~> telnet localhost 80 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. OPTIONS /index.html HTTP/1.1 Host: localhost Expected result: ---------------- HTTP/1.1 200 OK Date: Mon, 04 Apr 2005 03:12:29 GMT Server: Apache/1.3.33 (Darwin) PHP/4.3.10 Cache-Control: max-age=3600 Expires: Mon, 04 Apr 2005 04:12:29 GMT Content-Length: 0 Allow: GET, HEAD, OPTIONS, TRACE Actual result: -------------- HTTP/1.1 200 OK Date: Mon, 04 Apr 2005 03:12:29 GMT Server: Apache/1.3.33 (Darwin) PHP/4.3.10 Cache-Control: max-age=3600 Expires: Mon, 04 Apr 2005 04:12:29 GMT Content-Length: 0 Allow: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK, TRACE -- Edit bug report at http://bugs.php.net/?id=32561&edit=1 -- Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=32561&r=trysnapshot4 Try a CVS snapshot (php5.0): http://bugs.php.net/fix.php?id=32561&r=trysnapshot50 Try a CVS snapshot (php5.1): http://bugs.php.net/fix.php?id=32561&r=trysnapshot51 Fixed in CVS: http://bugs.php.net/fix.php?id=32561&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=32561&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=32561&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=32561&r=needscript Try newer version: http://bugs.php.net/fix.php?id=32561&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=32561&r=support Expected behavior: http://bugs.php.net/fix.php?id=32561&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=32561&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=32561&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=32561&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=32561&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=32561&r=dst IIS Stability: http://bugs.php.net/fix.php?id=32561&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=32561&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=32561&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=32561&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=32561&r=mysqlcfg