Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:116724
Return-Path: <davidgebler@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 60482 invoked from network); 22 Dec 2021 23:02:34 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 22 Dec 2021 23:02:34 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 3D641180539
	for <internals@lists.php.net>; Wed, 22 Dec 2021 16:06:38 -0800 (PST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.7 required=5.0 tests=BAYES_05,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS
	autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <davidgebler@gmail.com>
Received: from mail-ed1-f54.google.com (mail-ed1-f54.google.com [209.85.208.54])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Wed, 22 Dec 2021 16:06:34 -0800 (PST)
Received: by mail-ed1-f54.google.com with SMTP id j6so14573481edw.12
        for <internals@lists.php.net>; Wed, 22 Dec 2021 16:06:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=y/UkNIGqBruMx8kdhMa3KFsX44QZzZ+Xfwf4AeSEI84=;
        b=DR5aJJgatpvu9LMYbxHHNFxko4s4mvKFPpEl8QV4ZDKaxNpDt0/YpZqjevIHqY7kRf
         GYjpfLrqdq8m4z2Vf1LTYRmctOa/4YDWI3iH2kyWTVRJT1wUxRlOaj2wac3cBhuSxvKZ
         BsBITFaLxXHTdm5YI9nNSGOK/Kpb1Qe9OIhQtL2U34Jyof6qvYbKsLxgvYBrFpzu7JAw
         mIyiBXT/KW4tO+hNuWw5mejTeDM3bRzx7HsVmzlq0XuQmWdTcO9BYIRIu2H7S8Ny5Gie
         C7aOoXcESM17maVRUjQrIbV2NG+84s+FiLUtb+eJf8Oc/7EIo2rn0LuCLqL73S8bnYiX
         cJMA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=y/UkNIGqBruMx8kdhMa3KFsX44QZzZ+Xfwf4AeSEI84=;
        b=nFxoreyh9IXri6oF6QpdxeITSCEAKV78niqnkVzKzZ8w1xW36ux9uiLxeCLrdZBwLI
         Uovi2fi1moPZJ6uFzpMA/kkRu9tXFfnHK+yo372W83ymmK45eURoAcFJ/DbniCYEyQzQ
         hHRkvGgqKNJ9QUccI2hhfQOE8PNHRWUJlMrRgOp98FD2fS3HihCw41xh3uIl+xyT0Xlf
         E/EC3ZcdSZAz4Sokmjr2EXSxEL2Q5gzLv28vKHsdVUlB860Qb/RmgYGQSjEF1cjWPveC
         bDfoOXeZwSWhZFf5e50sKYFNMEUAdkY3j2ikIeU9cT7z0BGzn74Tq9MthwraKfka9v28
         HKow==
X-Gm-Message-State: AOAM530LoqQ9ACNHrSpXvJb1w6kWRepKZRX66YrYlaZKSBEDbY2lr4vf
	keNImv8EGeNhJ1vt1M0X8W36r7t2MLhnJkEI4sVyiNKeupQ=
X-Google-Smtp-Source: ABdhPJxqE/ou/R2N5PQVTJbvwjkyFrU7wUz2ftq6wYOkkg7pbPzMWYhTuEfYcROBDfdkIka6bnLCPErRGXrGnlZ9LMQ=
X-Received: by 2002:aa7:d749:: with SMTP id a9mr87082eds.232.1640217993107;
 Wed, 22 Dec 2021 16:06:33 -0800 (PST)
MIME-Version: 1.0
References: <5d2b1d8f-9b7a-558f-8750-cc97b3ad0589@gmx.de>
In-Reply-To: <5d2b1d8f-9b7a-558f-8750-cc97b3ad0589@gmx.de>
Date: Thu, 23 Dec 2021 00:06:22 +0000
Message-ID: <CA+p1FaaAb4Oa2tX8tgnnSERobwBa0MTU42QoJ4v6x-i3JB2yyA@mail.gmail.com>
To: "Christoph M. Becker" <cmbecker69@gmx.de>
Cc: PHP internals <internals@lists.php.net>, Jakub Zelenka <bukka@php.net>
Content-Type: multipart/alternative; boundary="000000000000d55b5705d3c502c2"
Subject: Re: [PHP-DEV] header() allows arbitrary status codes
From: davidgebler@gmail.com (David Gebler)

--000000000000d55b5705d3c502c2
Content-Type: text/plain; charset="UTF-8"

On Tue, Dec 21, 2021 at 6:59 PM Christoph M. Becker <cmbecker69@gmx.de>
wrote:

> Hi all,
>
> a while ago it has been reported[1] that our header() function actually
> allows arbitrary status codes, which may even overflow.  Of course, that
> makes no sense, since the status code is supposed to be a three digit
> code.  So this ticket has been followed up by a pull request[2], and
> Jakub suggested to further restrict the status code to be in range 100 -
> 599.
>

Personally, I don't like restricting the status code to a number in the
100-599 range. As far as I know, RFC 7230 doesn't mandate anything beyond
the requirement of 3 digits and while 7231 may only specify semantics for
1xx-5xx, that doesn't mean there isn't a legitimate use-case in custom or
internal applications for status codes outside the usual semantics.

The overflow part is a legit bug which can and should be fixed, but I'd at
least question whether a user should be obliged to stick to conventional
HTTP semantics via the header() function, or even a strictly conformant
implementation of the standards defined 7320. Maybe this behaviour could be
default but overridable via a new, fourth optional parameter or something,
I don't know...but I can easily imagine someone having a legitimate context
in which they want to send status codes outside the usual range
representing custom semantics.


>
> Since this could break some pathological cases, I wanted to ask whether
> anybody objects to this change for the master branch (i.e. PHP 8.2).
>
> [1] <https://bugs.php.net/bug.php?id=81645>
> [2] <https://github.com/php/php-src/pull/7676>
>
> Christoph
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: https://www.php.net/unsub.php
>
>

--000000000000d55b5705d3c502c2--