content-type must appear at the end of headers for 201 Location to work in http

Bug #61548

Submitted:

2012-03-28 22:14 UTC

Modified:

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	0 of 0 (0.0%)

From:

david at greenseedtechnologies dot com

Assigned:

Status:

Closed

Package:

HTTP related

PHP Version:

5.3.10

OS:

linux

Private report:

CVE-ID:

None

[2012-03-28 22:14 UTC] david at greenseedtechnologies dot com

Description:
------------
Line 445 of http_fopen_wrapper.c
only works of the content-type is at the end of a list of header fields in the 
context. It fails if it is in the middle, or the beginning.

memmove(tmp, tmp + (s2 + 1 - tmp_c), tmp_c + l - 1 - s2);

To see the problem watch the HTTP stream in something like WireShark.


Test script:
---------------
<?php
$http = array(
   'header' =>
      null
      ."AnyHeader: 1\r\n"
      // BUG on line 445 of http_fopen_wrapper.c of PHP: content_type cannot be in the middle of headers.
      ."Content-type: anythingyouwanthere\r\n"
      ."SomeOtherHeader: 2\r\n"
);
/*
PHP incorrectly sends across when following the "Location":
GET /services/storm/lead HTTP/1.0
Host: storm
SomeOtherHeader: 2ent-type: anythingyouwanthere
SomeOtherHeader: 2
 */
$http['method'] = 'POST';
$options = array('http' => $http);
$context = stream_context_create($options);
$result = file_get_contents('http://some/url/that/resturns/201/and/has/a/Location/in/the/header', false, $context);


Expected result:
----------------
GET /services/storm/lead HTTP/1.0
Host: storm
AnyHeader: 1
SomeOtherHeader: 2

Actual result:
--------------
GET /services/storm/lead HTTP/1.0
Host: storm
SomeOtherHeader: 2ent-type: anythingyouwanthere
SomeOtherHeader: 2

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2013-10-01 09:13 UTC] mike@php.net

-Status: Open +Status: Closed

[2015-07-10 11:33 UTC] spam2 at rhsoft dot net

Related To: Bug #70039

[2015-07-10 13:21 UTC] spam2 at rhsoft dot net

Related To: Bug #70039