On Tue, Dec 21, 2021 at 6:59 PM Christoph M. Becker <cmbecke...@gmx.de> wrote:
> Hi all, > > a while ago it has been reported[1] that our header() function actually > allows arbitrary status codes, which may even overflow. Of course, that > makes no sense, since the status code is supposed to be a three digit > code. So this ticket has been followed up by a pull request[2], and > Jakub suggested to further restrict the status code to be in range 100 - > 599. > Personally, I don't like restricting the status code to a number in the 100-599 range. As far as I know, RFC 7230 doesn't mandate anything beyond the requirement of 3 digits and while 7231 may only specify semantics for 1xx-5xx, that doesn't mean there isn't a legitimate use-case in custom or internal applications for status codes outside the usual semantics. The overflow part is a legit bug which can and should be fixed, but I'd at least question whether a user should be obliged to stick to conventional HTTP semantics via the header() function, or even a strictly conformant implementation of the standards defined 7320. Maybe this behaviour could be default but overridable via a new, fourth optional parameter or something, I don't know...but I can easily imagine someone having a legitimate context in which they want to send status codes outside the usual range representing custom semantics. > > Since this could break some pathological cases, I wanted to ask whether > anybody objects to this change for the master branch (i.e. PHP 8.2). > > [1] <https://bugs.php.net/bug.php?id=81645> > [2] <https://github.com/php/php-src/pull/7676> > > Christoph > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: https://www.php.net/unsub.php > >