Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:116726 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 91261 invoked from network); 23 Dec 2021 11:43:08 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 23 Dec 2021 11:43:08 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 9A0CE180507 for ; Thu, 23 Dec 2021 04:47:19 -0800 (PST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,HTML_MESSAGE, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Virus: No X-Envelope-From: Received: from mail-ed1-f49.google.com (mail-ed1-f49.google.com [209.85.208.49]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Thu, 23 Dec 2021 04:47:16 -0800 (PST) Received: by mail-ed1-f49.google.com with SMTP id o6so21019691edc.4 for ; Thu, 23 Dec 2021 04:47:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Wgu6Xsw/MxmnB3Lmo1g8s2yH0k9ZAQ/amZapK6A4VBA=; b=Cxsbs8AXXHzikpwrPEhXDWD6IFbUxGZFIkbwDIkUsQaWQUivYdHMxJ+RWCWJHt5/hT kxW9+YGzGBzvCJ0ZG/EEW04JYLOdX6Vc7hxnJMHf2U7vanOr7jR1jGD2kNs2Tr55Rulx pbi1JNCfoR5BomNXdK2Z4UeFwMpjSuecfqzL3d/1+OCPl2nPWfRcK9/0r0dEUlmB7xby ZB1VRwncLdqjUunZEdhf6nmd0GZIsd+idpNhiaQ20tzl6fFPxbNlLqJfziscOC56jH2y sztRcXFeZKHMIi3tQC14R8JJYvWmgbP9aVbU6towUa3+X1bSwgDxQQ1dOhZEBXrhGgt8 l3xg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Wgu6Xsw/MxmnB3Lmo1g8s2yH0k9ZAQ/amZapK6A4VBA=; b=Kig+GTFIni9nPMv3ZnnzLeFHgAEa6Hg8gimsgvLua/k9Fm+jSgLENZKJYS/AeDkXqf PXcKj6BDc5aorfb0PFGoIRB5dz00CNUnPXx4trwjDJeVlTR/4sK3rmMYm8Fqz9wZK26z J3HUDzDoA/B5pepaBYpMtSz/IyOSfVC5ltWir5bRDyIfbWrgOFiSOiSeNM2wklPULupE qtLfVzL+H1NrwLqND6L3MscUEIqBFU0KpRx7BVROQQR5xQpSVkT+rtYVAYj5OX/8m4Hg W3CvUnbe3oZV1KEqg4AuM5PsaEZ2ELp3w8wzo5PbmXrgZbnjWI85AQE6ZCwankXmrZVh tu0A== X-Gm-Message-State: AOAM532OynKp9Dnb9gwP4TgiW+HSn9ODA143suqvcAI9nKh7aLY1JadC vh1KAn2fG1ICwACRk7vDG8DAV1aiblc5vonC+yI+EaUO X-Google-Smtp-Source: ABdhPJxIIcqZY8NQY1ImcjH3JF7dRZBdZhe8BAOpxNuny9++iuqtgl3DRScLjYk4BmtCyUeNzALepnQhnsXjiZj9Pko= X-Received: by 2002:a17:907:d07:: with SMTP id gn7mr1854766ejc.553.1640263634916; Thu, 23 Dec 2021 04:47:14 -0800 (PST) MIME-Version: 1.0 References: <5d2b1d8f-9b7a-558f-8750-cc97b3ad0589@gmx.de> In-Reply-To: Date: Thu, 23 Dec 2021 12:47:07 +0000 Message-ID: To: David Gebler Cc: "Christoph M. Becker" , PHP internals , Jakub Zelenka Content-Type: multipart/alternative; boundary="0000000000004c1b4f05d3cfa379" Subject: Re: [PHP-DEV] header() allows arbitrary status codes From: dragoonis@gmail.com (Paul Dragoonis) --0000000000004c1b4f05d3cfa379 Content-Type: text/plain; charset="UTF-8" On Thu, 23 Dec 2021, 00:06 David Gebler, wrote: > On Tue, Dec 21, 2021 at 6:59 PM Christoph M. Becker > wrote: > > > Hi all, > > > > a while ago it has been reported[1] that our header() function actually > > allows arbitrary status codes, which may even overflow. Of course, that > > makes no sense, since the status code is supposed to be a three digit > > code. So this ticket has been followed up by a pull request[2], and > > Jakub suggested to further restrict the status code to be in range 100 - > > 599. > > > > Personally, I don't like restricting the status code to a number in the > 100-599 range. As far as I know, RFC 7230 doesn't mandate anything beyond > the requirement of 3 digits and while 7231 may only specify semantics for > 1xx-5xx, that doesn't mean there isn't a legitimate use-case in custom or > internal applications for status codes outside the usual semantics. > > The overflow part is a legit bug which can and should be fixed, but I'd at > least question whether a user should be obliged to stick to conventional > HTTP semantics via the header() function, or even a strictly conformant > implementation of the standards defined 7320. Maybe this behaviour could be > default but overridable via a new, fourth optional parameter or something, > I don't know...but I can easily imagine someone having a legitimate context > in which they want to send status codes outside the usual range > representing custom semantics. > I think its safe to say we should restrict the overflow parts. As for boundaries; I don't know who is or isn't using their own custom status codes. It's unlikely, but entirely possible. As such, this is considered a BC break. If we apply restrictions to a minor release, then upgrading will be harder for 8.2 if we include this in the next release. You could say 98% of people are using standard ranges for status codes, but we do have to always take into account the 2% on our decisions. Thanks. > > > > > Since this could break some pathological cases, I wanted to ask whether > > anybody objects to this change for the master branch (i.e. PHP 8.2). > > > > [1] > > [2] > > > > Christoph > > > > -- > > PHP Internals - PHP Runtime Development Mailing List > > To unsubscribe, visit: https://www.php.net/unsub.php > > > > > --0000000000004c1b4f05d3cfa379--