Bug #62086 [Com]: header() in 404 error page

Mon, 21 May 2012 01:40:00 -0700 

Edit report at https://bugs.php.net/bug.php?id=62086&edit=1

 ID:                 62086
 Comment by:         anon at anon dot anon
 Reported by:        dave dot kimble at gmx dot com
 Summary:            header() in 404 error page
 Status:             Open
 Type:               Bug
 Package:            Other web server
 Operating System:   Win 7 Ult 32
 PHP Version:        5.4.3
 Block user comment: N
 Private report:     N

 New Comment:

It looks like your error page is not configured to be interpreted as PHP, so 
everything from <?php to BR> is interpreted by the browser as a single HTML 
tag. Also the URL in your exit statement should be passed through 
htmlspecialchars to avoid an XSS vulnerability.


Previous Comments:
------------------------------------------------------------------------
[2012-05-21 07:14:02] dave dot kimble at gmx dot com

Description:
------------
I am trying to redirect all external links to pages in 
http://www.*******.org.au/dave.kimble/ 
to http://www.davekimble.org.au/ 
by using header() in 404 error page.
Fastream IQWebFTPServer v11.5.5R possibly implicated.

If header() follows echo(), I expect error "headers already written".
Adding echo statements to debug, the output either doesn't appear, or after 
<BR> output is the remaining script itself. 

Same problem with PHP 5.4.0

Test script:
---------------
Must be set in web server as Error Page 404

<?php
// error page for 404
$uri = $_SERVER['REQUEST_URI'];
if (substr($uri, 0, 12 ) == '/dave.kimble' )
{       $restofuri = substr($uri, 12 );
        header('Location: http://www.davekimble.org.au'.$restofuri );
        exit('Redirecting you to http://www.davekimble.org.au'.$restofuri);
}
echo ($uri . ' not found<BR>');
?>


Expected result:
----------------
a) Browser URL: http://test-domain.com/dave.kimble/index.htm
   should return page http://www.davekimble.org.au/index.htm 
b) Browser URL: http://test-domain.com/xxxx.xxx
   should return "/xxxx.xxx not found"

Actual result:
--------------
a) Browser URL: http://test-domain.com/dave.kimble/index.htm
   returns blank page and response status 404
b) Browser URL: http://test-domain.com/xxxx.xxx
   returns '); ?> 
   which is the tail end of the script !


------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=62086&edit=1

Reply via email to