cataphract Tue, 26 Oct 2010 02:16:21 +0000 Revision: http://svn.php.net/viewvc?view=revision&revision=304903
Log: - Implemented request #44164, zlib.output_compression is now implicitly disabled when the header "Content-length" is set. #One could argue that any output handler could change the size of the #response, so this exception for zlib.output_compression is an #inconsistency. However, zlib.output_compression is presented as a #performance setting, whose value should have no effect on the #correctness of the scripts. This was not the case. Setting the #header "content-length" and enabling zlib.output_compression was #a recipe for infringing section 4.4 of RFC 2616. Bug: http://bugs.php.net/44164 (Assigned) Handle "Content-Length" HTTP header when zlib.output_compression active Changed paths: U php/php-src/branches/PHP_5_3/NEWS U php/php-src/branches/PHP_5_3/main/SAPI.c A php/php-src/branches/PHP_5_3/tests/basic/req44164.phpt U php/php-src/trunk/main/SAPI.c A php/php-src/trunk/tests/basic/req44164.phpt Modified: php/php-src/branches/PHP_5_3/NEWS =================================================================== --- php/php-src/branches/PHP_5_3/NEWS 2010-10-25 23:46:54 UTC (rev 304902) +++ php/php-src/branches/PHP_5_3/NEWS 2010-10-26 02:16:21 UTC (rev 304903) @@ -17,6 +17,8 @@ for empty uploads and, in debug mode, 0-length uploads. (Gustavo) - Added a 3rd parameter to get_html_translation_table. It now takes a charset hint, like htmlentities et al. (Gustavo) +- Implemented FR #44164, setting the header "Content-length" implicitly + disables zlib.output_compression. - Fixed NULL pointer dereference in ZipArchive::getArchiveComment. (CVE-2010-3709). (Maksymilian Arciemowicz) Modified: php/php-src/branches/PHP_5_3/main/SAPI.c =================================================================== --- php/php-src/branches/PHP_5_3/main/SAPI.c 2010-10-25 23:46:54 UTC (rev 304902) +++ php/php-src/branches/PHP_5_3/main/SAPI.c 2010-10-26 02:16:21 UTC (rev 304903) @@ -657,6 +657,14 @@ } efree(mimetype); SG(sapi_headers).send_default_content_type = 0; + } else if (!STRCASECMP(header_line, "Content-Length")) { + /* Script is setting Content-length. The script cannot reasonably + * know the size of the message body after compression, so it's best + * do disable compression altogether. This contributes to making scripts + * portable between setups that have and don't have zlib compression + * enabled globally. See req #44164 */ + zend_alter_ini_entry("zlib.output_compression", sizeof("zlib.output_compression"), + "0", sizeof("0") - 1, PHP_INI_USER, PHP_INI_STAGE_RUNTIME); } else if (!STRCASECMP(header_line, "Location")) { if ((SG(sapi_headers).http_response_code < 300 || SG(sapi_headers).http_response_code > 307) && Added: php/php-src/branches/PHP_5_3/tests/basic/req44164.phpt =================================================================== --- php/php-src/branches/PHP_5_3/tests/basic/req44164.phpt (rev 0) +++ php/php-src/branches/PHP_5_3/tests/basic/req44164.phpt 2010-10-26 02:16:21 UTC (rev 304903) @@ -0,0 +1,17 @@ +--TEST-- +Req #44164 (Handle "Content-Length" HTTP header when zlib.output_compression active) +--SKIPIF-- +<?php +if (!function_exists('gzdeflate')) + die("skip zlib extension required"); +?> +--INI-- +zlib.output_compression=On +--ENV-- +HTTP_ACCEPT_ENCODING=gzip +--FILE-- +<?php +header("Content-length: 200"); +echo str_repeat("a", 200); +--EXPECT-- +aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa Modified: php/php-src/trunk/main/SAPI.c =================================================================== --- php/php-src/trunk/main/SAPI.c 2010-10-25 23:46:54 UTC (rev 304902) +++ php/php-src/trunk/main/SAPI.c 2010-10-26 02:16:21 UTC (rev 304903) @@ -706,6 +706,14 @@ } efree(mimetype); SG(sapi_headers).send_default_content_type = 0; + } else if (!STRCASECMP(header_line, "Content-Length")) { + /* Script is setting Content-length. The script cannot reasonably + * know the size of the message body after compression, so it's best + * do disable compression altogether. This contributes to making scripts + * portable between setups that have and don't have zlib compression + * enabled globally. See req #44164 */ + zend_alter_ini_entry("zlib.output_compression", sizeof("zlib.output_compression"), + "0", sizeof("0") - 1, PHP_INI_USER, PHP_INI_STAGE_RUNTIME); } else if (!STRCASECMP(header_line, "Location")) { if ((SG(sapi_headers).http_response_code < 300 || SG(sapi_headers).http_response_code > 307) && Added: php/php-src/trunk/tests/basic/req44164.phpt =================================================================== --- php/php-src/trunk/tests/basic/req44164.phpt (rev 0) +++ php/php-src/trunk/tests/basic/req44164.phpt 2010-10-26 02:16:21 UTC (rev 304903) @@ -0,0 +1,17 @@ +--TEST-- +Req #44164 (Handle "Content-Length" HTTP header when zlib.output_compression active) +--SKIPIF-- +<?php +if (!function_exists('gzdeflate')) + die("skip zlib extension required"); +?> +--INI-- +zlib.output_compression=On +--ENV-- +HTTP_ACCEPT_ENCODING=gzip +--FILE-- +<?php +header("Content-length: 200"); +echo str_repeat("a", 200); +--EXPECT-- +aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php