From:
Operating system: Debian Lenny
PHP version: 5.3.2
Package: HTTP related
Bug Type: Bug
Bug description:header("Location:") changing HTTP status
Description:
------------
Please see bug #25044 (http://bugs.php.net/bug.php?id=25044), where this
issue has previously been addressed to some extent.
When this previous bug was fixed, the fix simply involved adding the exact
mentioned codes to an exception list for status response codes that are not
overwritten upon sending a Location header. Now, 201, 301, 303, 305, and
307 do not overwrite the Response code. Nevertheless, all others still do.
A more permanent fix would be not setting the status for ANY response code
(very similar to the actual fix originally suggested for #25044). For
backwards compatibility, you could set the response code if it has not
already been set at the time that the Location header is set; but it should
never be overwritten if it already has been set.
HTTP Responses 503 and 426 come immediately to mind as additional
reasonable cases for adding a Location header; but in fact, neither RFC
1945 (HTTP/1.0), RFC 2616 (HTTP/1.1), RFC 2817 (Upgrading to TLS Within
HTTP/1.1), nor any other IETF or other relevant standard limits the
Location header to any particular response, other than to recommend
("SHOULD") it for 301, 302, 303, 305 (could be read as "MUST"), 307, and
suggest it for 201 (and "intentionally undefined" by RFC 4918 (HTTP
Extensions for Web Distributed Authoring and Versioning (WebDAV)) for 207).
So preventing any status code from having a Location header is undesirable
(however silly it may be for some certain responses). This would
future-proof the code in question against any future changes that do not
involve a mandatory or forbidden Location: field (for which the current
code would most likely require patching anyway).
(To be fair, this is documented behavior, even if it is
non-standards-compliant. Mind you, the documentation is contradictory;
http_response_code apparently "Forces the HTTP response code to the
specified value.", but at the same time, "The second special case is the
"Location:" header. Not only does it send this header back to the browser,
but it also returns a REDIRECT (302) status code to the browser unless the
201 or a 3xx status code has already been set". It is also true that most
current clients will ignore a Location header for most non-3xx responses,
but that is unimportant.)
I would not consider this issue to have particular security concerns.
Test script:
---------------
header("HTTP/1.1 503 Service Unavailable");
header("Location: http://www.php.net/";);
Expected result:
----------------
HTTP Response:
HTTP/1.1 503 Service Unavailable
Location: http://www.php.net/
Actual result:
--------------
HTTP Response:
HTTP/1.1 302 Found
Location: http://www.php.net/
--
Edit bug report at http://bugs.php.net/bug.php?id=51749&edit=1
--
Try a snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=51749&r=trysnapshot52
Try a snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=51749&r=trysnapshot53
Try a snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=51749&r=trysnapshot60
Fixed in SVN:
http://bugs.php.net/fix.php?id=51749&r=fixed
Fixed in SVN and need be documented:
http://bugs.php.net/fix.php?id=51749&r=needdocs
Fixed in release:
http://bugs.php.net/fix.php?id=51749&r=alreadyfixed
Need backtrace:
http://bugs.php.net/fix.php?id=51749&r=needtrace
Need Reproduce Script:
http://bugs.php.net/fix.php?id=51749&r=needscript
Try newer version:
http://bugs.php.net/fix.php?id=51749&r=oldversion
Not developer issue:
http://bugs.php.net/fix.php?id=51749&r=support
Expected behavior:
http://bugs.php.net/fix.php?id=51749&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=51749&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=51749&r=submittedtwice
register_globals:
http://bugs.php.net/fix.php?id=51749&r=globals
PHP 4 support discontinued: http://bugs.php.net/fix.php?id=51749&r=php4
Daylight Savings: http://bugs.php.net/fix.php?id=51749&r=dst
IIS Stability:
http://bugs.php.net/fix.php?id=51749&r=isapi
Install GNU Sed:
http://bugs.php.net/fix.php?id=51749&r=gnused
Floating point limitations:
http://bugs.php.net/fix.php?id=51749&r=float
No Zend Extensions:
http://bugs.php.net/fix.php?id=51749&r=nozend
MySQL Configuration Error:
http://bugs.php.net/fix.php?id=51749&r=mysqlcfg
