From: chris at mysociety dot org
Operating system: all
PHP version: 4.4.3
PHP Bug Type: CGI related
Bug description: Status: header incorrectly handled in CGI/FastCGI mode
Description:
------------
PHP does not correctly handle calls such as header("Status: ..."). In CGI
mode it should process such a call as a changing the HTTP response code
(consistent with its handling of, e.g., header("Location: ...")). However,
at present there is no special handling of the Status: header. That's why
sending Status: and then Location: causes a duplicate header: the
Location: header is handled as a special case and causes
sapi_update_response_code(302) to be called, whereas the Status: header is
just added to the list of headers to be sent back to the web server (see
bug #33225 incorrectly marked "bogus", I think because the reviewer
doesn't understand CGI). Note that sending two different Status: headers
explicitly with header("Status: ...") doesn't give this error, because the
default operation is to *replace* the header, not add a new one.
Here is a patch to fix the bug in 4.4.3; it also applies to 5.1.4 and
probably other versions too:
--- php-4.4.3-orig/main/SAPI.c 2006-01-01 13:46:59.000000000 +0000
+++ php-4.4.3/main/SAPI.c 2006-08-07 15:49:15.000000000 +0100
@@ -611,6 +611,14 @@
/* Return a Found Redirect if one
is not already specified */
sapi_update_response_code(302
TSRMLS_CC);
}
+ } else if (!STRCASECMP(header_line, "Status")) {
+ int code;
+ if (1 == sscanf(colon_offset + 1, "%d",
&code)
+ && code >= 100 && code < 1000) {
+ /* Also want to suppress this
header. */
+ sapi_update_response_code(code
TSRMLS_CC);
+ return SUCCESS;
+ } /* else error? */
} else if (!STRCASECMP(header_line,
"WWW-Authenticate")) { /* HTTP Authentication */
sapi_update_response_code(401 TSRMLS_CC);
/* authentication-required */
-- I've also put a copy of this at
http://bitter.ukcod.org.uk/~chris/tmp/20060807/php-4.4.3-fix-duplicate-Status:.patch
in case this form isn't transparent.
Reproduce code:
---------------
<?
header("Status: 404");
header("Location: http://www.google.com/";);
?>
Expected result:
----------------
Redirect to http://www.google.com/
Actual result:
--------------
Internal server error because PHP sends the Status: header twice,
violating the CGI spec.
--
Edit bug report at http://bugs.php.net/?id=38369&edit=1
--
Try a CVS snapshot (PHP 4.4):
http://bugs.php.net/fix.php?id=38369&r=trysnapshot44
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=38369&r=trysnapshot52
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=38369&r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=38369&r=fixedcvs
Fixed in release:
http://bugs.php.net/fix.php?id=38369&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=38369&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=38369&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=38369&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=38369&r=support
Expected behavior: http://bugs.php.net/fix.php?id=38369&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=38369&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=38369&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=38369&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=38369&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=38369&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=38369&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=38369&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=38369&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=38369&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=38369&r=mysqlcfg
