foo') will override a 308-399 response code
| Bug #67428 | header('Location: foo') will override a 308-399 response code | ||||
|---|---|---|---|---|---|
| Submitted: | 2014-06-12 22:55 UTC | Modified: | 2014-06-13 00:43 UTC | ||
| From: | aharvey@php.net | Assigned: | aharvey (profile) | ||
| Status: | Closed | Package: | HTTP related | ||
| PHP Version: | 5.4.29 | OS: | Irrelevant | ||
| Private report: | No | CVE-ID: | None | ||
[2014-06-12 22:55 UTC] aharvey@php.net
Description:
------------
header('Location: foo') overrides the response code if it isn't 201 or 301-307, inclusive. With 308 Permanent Redirect now being added to HTTP 1.1, this is overly restrictive. We should prevent changing the response code for any 3xx response code.
Test script:
---------------
<?php
header('HTTP/1.1 308 Permanent Redirect');
header('Location: http://foo.bar');
?>
Expected result:
----------------
HTTP/1.1 308 Permanent Redirect
Host: localhost:8000
Connection: close
X-Powered-By: PHP/5.5.13-dev
Location: http://foo.bar
Content-type: text/html
Actual result:
--------------
HTTP/1.1 302 Found
Host: localhost:8000
Connection: close
X-Powered-By: PHP/5.5.13-dev
Location: http://foo.bar
Content-type: text/html
Patches
Pull Requests
History
AllCommentsChangesGit/SVN commits