Bug #65633 [Opn]: built-in server treat some http headers as case-sensitive

[francesco dot laffi at gmail dot com]

Edit report at https://bugs.php.net/bug.php?id=65633&edit=1

 ID:                 65633
 User updated by:    francesco dot laffi at gmail dot com
 Reported by:        francesco dot laffi at gmail dot com
-Summary:            PHP built-in server
+Summary:            built-in server treat some http headers as
                     case-sensitive
 Status:             Open
 Type:               Bug
 Package:            Built-in web server
 PHP Version:        5.5Git-2013-09-08 (snap)
 Block user comment: N
 Private report:     N

 New Comment:

edited title


Previous Comments:
------------------------------------------------------------------------
[2013-09-08 13:43:56] francesco dot laffi at gmail dot com

Description:
------------
The built-in server look for info in same headers in a case-sensitive way, but 
the 
rfc2616 define http headers fields as case insensitive. 
i.e. 'cookie: foo=bar' should be recognized but the the current cli server only 
recognize correctly 'Cookie: foo=bar'

I tried to fiddle with the code to confirm it, i.e in 
`sapi/cli/php_cli_server.c` 
in the function `sapi_cli_server_read_cookies`:
replace: if (FAILURE == zend_hash_find(&client->request.headers, "Cookie", 
sizeof("Cookie"), (void**)&val))
with: if (FAILURE == zend_hash_find(&client->request.headers, "Cookie", 
sizeof("Cookie"), (void**)&val) && FAILURE == zend_hash_find(&client-
>request.headers, "cookie", sizeof("cookie"), (void**)&val))

And cookies then worked correctly even with lowercase header field. 
I never developed in C so I wont be able to produce a full patch. The above 
snippet is not a suggestion on how to fix it, just pointing where the bug is. 
In 
the same file I see there are other headers checked in the same way. 

I also noticed that even if it doesnt fill the $_COOKIE superglobal it does put 
the cookie header in $_SERVER['HTTP_COOKIE'], so its already case-insensitive 
in 
some code.

Looking around about this I found this bug on other projects but I didnt 
found it here, other sources for reference:
https://github.com/symfony/symfony/issues/8278
https://github.com/37signals/pow/issues/319

Test script:
---------------
echo '<?php var_dump($_COOKIE);' > index.php
php -S 127.0.0.1:8080
curl http://127.0.0.1:8080 -H 'Cookie: foo=bar'
curl http://127.0.0.1:8080 -H 'cookie: foo=bar'


Expected result:
----------------
the two curl request return the same output

Actual result:
--------------
> curl http://127.0.0.1:8080 -H 'Cookie: foo=bar'
array(1) {
  ["foo"]=>
  string(3) "bar"
}
> curl http://127.0.0.1:8080 -H 'cookie: foo=bar'
array(0) {
}


------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=65633&edit=1