#22127 [NEW]: bogus http response when force-cgi-redirect safety mechanism triggered

Sat, 08 Feb 2003 12:45:59 -0800 

From:             [EMAIL PROTECTED]
Operating system: windows, linux
PHP version:      4CVS-2003-02-08 (stable)
PHP Bug Type:     HTTP related
Bug description:  bogus http response when force-cgi-redirect safety mechanism 
triggered

When php is used in cgi mode with force-cgi-redirect enabled, and the
safety mechanism is triggered, PHP produces a bogus http response line:
HTTP/1.1 0
this is invalid and browsers fail to display the output.
it happens for PHP 4.3.0 and a fresh PHP 4.3.1-dev snapshot under both
Windows and Linux.
AFAIK 0 is not a valid response code, and unless one uses a non-compliant
browser or accesses the page through a raw telnet session, the warning
page cannot be seen.
it would be desirable for PHP to produce a meaningful response code, such
as 200, 403 or 500.
for example:

GET /cgi-bin/php/pi.php HTTP/1.1
HOST: mysite

HTTP/1.1 0
Date: Sat, 08 Feb 2003 20:32:46 GMT
Server: Apache/1.3.27 (Unix) PHP/4.3.0
Transfer-Encoding: chunked
Content-Type: text/html; charset=windows-1251

283
<b>Security Alert!</b> The PHP CGI cannot be accessed directly.

<p>This PHP CGI binary was compiled with force-cgi-redirect enabled. 
This
means that a page will only be served up if the REDIRECT_STATUS CGI
variable is
set, e.g. via an Apache Action directive.</p>
<p>For more information as to <i>why</i> this behaviour exists, see the <a
href="http://php.net/security.cgi-bin";>manual page for CGI
security</a>.</p>
<p>For more information about changing this behaviour or re-enabling this
webserver,
consult the installation file that came with this distribution, or visit
<a href="http://php.net/install.windows";>the manual page</a>.</p>

0

-- 
Edit bug report at http://bugs.php.net/?id=22127&edit=1
-- 
Try a CVS snapshot:         http://bugs.php.net/fix.php?id=22127&r=trysnapshot
Fixed in CVS:               http://bugs.php.net/fix.php?id=22127&r=fixedcvs
Fixed in release:           http://bugs.php.net/fix.php?id=22127&r=alreadyfixed
Need backtrace:             http://bugs.php.net/fix.php?id=22127&r=needtrace
Try newer version:          http://bugs.php.net/fix.php?id=22127&r=oldversion
Not developer issue:        http://bugs.php.net/fix.php?id=22127&r=support
Expected behavior:          http://bugs.php.net/fix.php?id=22127&r=notwrong
Not enough info:            http://bugs.php.net/fix.php?id=22127&r=notenoughinfo
Submitted twice:            http://bugs.php.net/fix.php?id=22127&r=submittedtwice
register_globals:           http://bugs.php.net/fix.php?id=22127&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=22127&r=php3
Daylight Savings:           http://bugs.php.net/fix.php?id=22127&r=dst
IIS Stability:              http://bugs.php.net/fix.php?id=22127&r=isapi
Install GNU Sed:            http://bugs.php.net/fix.php?id=22127&r=gnused

Reply via email to