ID: 38369
User updated by: chris at mysociety dot org
Reported By: chris at mysociety dot org
Status: Wont fix
Bug Type: CGI related
Operating System: *
PHP Version: *
New Comment:
No, you have misunderstood. You claim that PHP is a conformant CGI
program. It is not, because it will send more than one Status: header.
I have provided a fix. You refuse to apply it. Are you no longer
interested in supporting CGI?
Previous Comments:
------------------------------------------------------------------------
[2006-08-07 15:39:31] [EMAIL PROTECTED]
You're suggesting to fix the symptom instead of the cause.
------------------------------------------------------------------------
[2006-08-07 15:17:37] chris at mysociety dot org
Perhaps you'd like to go and fix all the code which uses the Status:
header, then? A quick search will find lots of PHP programs that use it
(WordPress, for instance), and they're all broken because PHP's handling
of Status: is incorrect. Alternatively you could just make PHP's
behaviour correct, using the fix I've given you.
------------------------------------------------------------------------
[2006-08-07 15:09:51] [EMAIL PROTECTED]
The SAPI independant way to issue an HTTP response code in PHP is a
"HTTP/1.x NNN" header.
------------------------------------------------------------------------
[2006-08-07 15:04:25] chris at mysociety dot org
Description:
------------
PHP does not correctly handle calls such as header("Status: ..."). In
CGI mode it should process such a call as a changing the HTTP response
code (consistent with its handling of, e.g., header("Location: ...")).
However, at present there is no special handling of the Status: header.
That's why sending Status: and then Location: causes a duplicate header:
the Location: header is handled as a special case and causes
sapi_update_response_code(302) to be called, whereas the Status: header
is just added to the list of headers to be sent back to the web server
(see bug #33225 incorrectly marked "bogus", I think because the
reviewer doesn't understand CGI). Note that sending two different
Status: headers explicitly with header("Status: ...") doesn't give this
error, because the default operation is to *replace* the header, not add
a new one.
Here is a patch to fix the bug in 4.4.3; it also applies to 5.1.4 and
probably other versions too:
--- php-4.4.3-orig/main/SAPI.c 2006-01-01 13:46:59.000000000 +0000
+++ php-4.4.3/main/SAPI.c 2006-08-07 15:49:15.000000000 +0100
@@ -611,6 +611,14 @@
/* Return a Found Redirect if
one is not already specified */
sapi_update_response_code(302
TSRMLS_CC);
}
+ } else if (!STRCASECMP(header_line, "Status"))
{
+ int code;
+ if (1 == sscanf(colon_offset + 1, "%d",
&code)
+ && code >= 100 && code < 1000)
{
+ /* Also want to suppress this
header. */
+ sapi_update_response_code(code
TSRMLS_CC);
+ return SUCCESS;
+ } /* else error? */
} else if (!STRCASECMP(header_line,
"WWW-Authenticate")) { /* HTTP Authentication */
sapi_update_response_code(401
TSRMLS_CC); /* authentication-required */
-- I've also put a copy of this at
http://bitter.ukcod.org.uk/~chris/tmp/20060807/php-4.4.3-fix-duplicate-Status:.patch
in case this form isn't transparent.
Reproduce code:
---------------
<?
header("Status: 404");
header("Location: http://www.google.com/";);
?>
Expected result:
----------------
Redirect to http://www.google.com/
Actual result:
--------------
Internal server error because PHP sends the Status: header twice,
violating the CGI spec.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=38369&edit=1
