Home Original page

for NSAPI module, custom request header variables with numbers are removed

Bug #52162 for NSAPI module, custom request header variables with numbers are removed
Submitted: 2010-06-23 19:02 UTC Modified: 2015-06-29 09:05 UTC
From: srinatar@php.net Assigned: thetaphi (profile)
Status: Closed Package: iPlanet related
PHP Version: 5.3.2 OS: Linux
Private report: No CVE-ID: None

 [2010-06-23 19:02 UTC] srinatar@php.net

Description:
------------
for example, if u try to request print-header.php (which contains the following)

<?
  print "\nContents of \$_SERVER:\n";
  foreach ($_SERVER as $k => $v) {
     print "   $k = $v\n";
  }
  print "</pre>\n";
?>


by doing some thing like
$ telnet localhost 80
Trying 192.168.20.126...
Connected to s10u7x.
Escape character is '^]'.
GET /print-header.php HTTP/1.0
X-T3crawler: foobar

u get output as 
HTTP_X_T_CRAWLER = foobar -> unexpected result

what do u expect is 

HTTP_X_T3_CRAWLER = foobar -> expected result

Expected result:
----------------
HTTP_X_T3_CRAWLER = foobar -> expected result

Actual result:
--------------
u get output as 
HTTP_X_T_CRAWLER = foobar -> unexpected result

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

 [2010-06-23 20:04 UTC] srinatar@php.net

here is the suggested patch to address this issue


[sn123202@mbelshe]'PHP_5_3'>svn diff sapi/nsapi/nsapi.c 
Index: sapi/nsapi/nsapi.c
===================================================================
--- sapi/nsapi/nsapi.c  (revision 300702)
+++ sapi/nsapi/nsapi.c  (working copy)
@@ -687,7 +687,7 @@
                                if (value) {
                                        for(p = value + pos; *p; p++) {
                                                *p = toupper(*p);
-                                               if (*p < 'A' || *p > 'Z') {
+                                               if (!isalnum(*p)) {
                                                        *p = '_';
                                                }
                                        }


if no one has any issues, i can commit this patch..

 [2010-06-23 20:06 UTC] srinatar@php.net

-Summary: custom request header variables with numbers are removed +Summary: for NSAPI module, custom request header variables with numbers are removed

 [2010-06-23 20:06 UTC] srinatar@php.net

mark the bug as specific to a given SAPI only.

 [2010-06-23 20:28 UTC] thetaphi@php.net

I will fix that! Thanks for reporting. Uwe

 [2010-06-23 20:30 UTC] thetaphi@php.net

I think this problem also affects other SAPIs that parse headers to ENV-style variables? I will scan other sapis and fix their code, too, if needed.

 [2010-06-23 21:41 UTC] thetaphi@php.net

From the CGI/1.1 spec in RFC3875:
   Meta-variables with names beginning with "HTTP_" contain values read
   from the client request header fields, if the protocol used is HTTP.
   The HTTP header field name is converted to upper case, has all
   occurrences of "-" replaced with "_" and has "HTTP_" prepended to
   give the meta-variable name.  The header data can be presented as
   sent by the client, or can be rewritten in ways which do not change
   its semantics.  If multiple header fields with the same field-name
   are received then the server MUST rewrite them as a single value
   having the same semantics.  Similarly, a header field that spans
   multiple lines MUST be merged onto a single line.  The server MUST,
   if necessary, change the representation of the data (for example,
   the character set) to be appropriate for a CGI meta-variable.

So I tend to remove the check explicitely and only specifically handle the "-" character as described in the specs.

 [2015-06-29 09:05 UTC] thetaphi@php.net

The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

This was already fixed. The remaining change will not be done anymore, as the NSAPI module was retired for PHP 7.