Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:116728
Return-Path: <divinity76@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 4212 invoked from network); 23 Dec 2021 14:50:07 -0000
Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5)
  by pb1.pair.com with SMTP; 23 Dec 2021 14:50:07 -0000
Received: from php-smtp4.php.net (localhost [127.0.0.1])
	by php-smtp4.php.net (Postfix) with ESMTP id 5E7701804D4
	for <internals@lists.php.net>; Thu, 23 Dec 2021 07:54:21 -0800 (PST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT,
	FREEMAIL_FROM,HTML_MESSAGE,MISSING_HEADERS,RCVD_IN_DNSWL_NONE,
	RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS
	autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS15169 209.85.128.0/17
X-Spam-Virus: No
X-Envelope-From: <divinity76@gmail.com>
Received: from mail-pf1-f181.google.com (mail-pf1-f181.google.com [209.85.210.181])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by php-smtp4.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Thu, 23 Dec 2021 07:54:21 -0800 (PST)
Received: by mail-pf1-f181.google.com with SMTP id k64so5603943pfd.11
        for <internals@lists.php.net>; Thu, 23 Dec 2021 07:54:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:cc;
        bh=jyCNkr98PGiXWAEyWPszepR6hqrJQHiTv0R9JyuRkj0=;
        b=YU/JLeXST7P1heTSAZzqA8Wtd5LAOK7dTMKHCJG4ZnGHKASoudcyKswLgSTawsbbp8
         q8er4rcmJkKOrRrTGwcKgQyZQaF9ejxs5fxRr8ZeIwfIucJpPrqnklaJYfbIqrlIp8qq
         ugjfO3Wgjd6W/HNYt7sw2d17DbkBTg4kuov1uey7V24rKisxhGutVl0gRWB7xYiythYf
         dHsEwF3ThsTUqZbBba25Aau5p7SP6wcivlMKny1ajJj+OdjEjdP2k14EfBjehrww2A3Z
         9bLqi4VU/AUzIYdmhLzWgn36dTWBJlTb/XkrXcqCjiVhR5oAIqa78LJr6jC9bBMVe2wX
         tx3A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:cc;
        bh=jyCNkr98PGiXWAEyWPszepR6hqrJQHiTv0R9JyuRkj0=;
        b=QGHn7BfvhHXiF4sJZD98pNTJpGwZ00Uiff3EjwKEFCeb7D0y+WzeqiI4A+RNlaiguv
         itq5gpKLl+c3DIQrOpuChAsR42TqF54pHVx4JZhniuzO2FfxEprs0aGddDyBSGk1vi3z
         G1bVycZXkzkaqqwfQ6KqcUvJQxkd6j12UlFV30jZ2z/R4s7q0elJkUl01LQhLdOjV7Kp
         gJq8uOFRHlf9uFeWrj66VTh2w4sbi5jlh2HO7WS5131lgmDW5+s6C+uxICWqqw44TcRB
         2SZJmGuGt1zs8UlWo0iu5mp+J6/v+a6EjuFghIVIvcYGmcmWLGi4Z4QO+ssTClyvyl6P
         96bg==
X-Gm-Message-State: AOAM530t9dc+05CiEXiQSz37htuJ6MlFX1a8AKKP2nFa7Kw+8zSB0uK2
	xWB4sqlnTUvPP4AqAvxSi8kSkL0hl+nZ6xPRFcjubgGi/bxwhg==
X-Google-Smtp-Source: ABdhPJyHH6SsiFB6HentdOptjwqeNuI5H+qLaoexiolRfwU0kaxwzzqYRAYl57eFjoyd+atubA5fOjPOs2Kae4vc6mc=
X-Received: by 2002:a65:5b4b:: with SMTP id y11mr2636064pgr.59.1640274859790;
 Thu, 23 Dec 2021 07:54:19 -0800 (PST)
MIME-Version: 1.0
References: <5d2b1d8f-9b7a-558f-8750-cc97b3ad0589@gmx.de> <CA+p1FaaAb4Oa2tX8tgnnSERobwBa0MTU42QoJ4v6x-i3JB2yyA@mail.gmail.com>
 <CAKxcST_Xv4QFFh4VfDE9oD9C1gi8r+UQWwRbXoxiXMMA3C-YJw@mail.gmail.com> <CAJmy8YFLfwWdPcuC3svguc1XQV781jjZBS9=YHFOSN=bO2uTwA@mail.gmail.com>
In-Reply-To: <CAJmy8YFLfwWdPcuC3svguc1XQV781jjZBS9=YHFOSN=bO2uTwA@mail.gmail.com>
Date: Thu, 23 Dec 2021 16:53:43 +0100
Message-ID: <CAJmy8YGMZfw8P6jP2KXcHSqj3xMtaW5aOaJ_=Ri5B-FYZsD86g@mail.gmail.com>
Cc: PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="0000000000005a177b05d3d240a6"
Subject: Re: [PHP-DEV] header() allows arbitrary status codes
From: divinity76@gmail.com (Hans Henrik Bergan)

--0000000000005a177b05d3d240a6
Content-Type: text/plain; charset="UTF-8"

another thing, it wouldn't surprise me if someone at some point want to
emulate some IIS-specific codes in PHP, like
header("HTTP/1.1 401.3 Unauthorized due to ACL on resource.");

it'd be a shame if PHP literally cannot send IIS-errorcodes

On Thu, 23 Dec 2021 at 16:40, Hans Henrik Bergan <divinity76@gmail.com>
wrote:

> sometime in the future HTTP 6xx will be defined, and we'll have to add a
> big warning to the header()/http_respons_code() pages like
> "Warning: HTTP 6.x.x is only supported in PHP >= x.x.x and PHP <=8.1.x",
> and library developers have to add fugly code like
> `if(PHP_VERSION_MAJOR >= X || (PHP_VERSION_MAJOR <=8 && PHP_VERSION_MINOR
> <= 1){http_response_code(6xx);}else{
> trigger_error("your php version cannot use http 6xx");
> }
>
> i'd prefer if we didn't restrict the header ranges
>
> On Thu, 23 Dec 2021 at 13:47, Paul Dragoonis <dragoonis@gmail.com> wrote:
>
>> On Thu, 23 Dec 2021, 00:06 David Gebler, <davidgebler@gmail.com> wrote:
>>
>> > On Tue, Dec 21, 2021 at 6:59 PM Christoph M. Becker <cmbecker69@gmx.de>
>> > wrote:
>> >
>> > > Hi all,
>> > >
>> > > a while ago it has been reported[1] that our header() function
>> actually
>> > > allows arbitrary status codes, which may even overflow.  Of course,
>> that
>> > > makes no sense, since the status code is supposed to be a three digit
>> > > code.  So this ticket has been followed up by a pull request[2], and
>> > > Jakub suggested to further restrict the status code to be in range
>> 100 -
>> > > 599.
>> > >
>> >
>> > Personally, I don't like restricting the status code to a number in the
>> > 100-599 range. As far as I know, RFC 7230 doesn't mandate anything
>> beyond
>> > the requirement of 3 digits and while 7231 may only specify semantics
>> for
>> > 1xx-5xx, that doesn't mean there isn't a legitimate use-case in custom
>> or
>> > internal applications for status codes outside the usual semantics.
>> >
>> > The overflow part is a legit bug which can and should be fixed, but I'd
>> at
>> > least question whether a user should be obliged to stick to conventional
>> > HTTP semantics via the header() function, or even a strictly conformant
>> > implementation of the standards defined 7320. Maybe this behaviour
>> could be
>> > default but overridable via a new, fourth optional parameter or
>> something,
>> > I don't know...but I can easily imagine someone having a legitimate
>> context
>> > in which they want to send status codes outside the usual range
>> > representing custom semantics.
>> >
>>
>>
>> I think its safe to say we should restrict the overflow parts.
>>
>> As for boundaries; I don't know who is or isn't using their own custom
>> status codes. It's unlikely, but entirely possible. As such, this is
>> considered a BC break.
>>
>> If we apply restrictions to a minor release, then upgrading will be harder
>> for 8.2 if we include this in the next release.
>>
>> You could say 98% of people are using standard ranges for status codes,
>> but
>> we do have to always take into account the 2% on our decisions.
>>
>> Thanks.
>>
>>
>>
>>
>> >
>> > >
>> > > Since this could break some pathological cases, I wanted to ask
>> whether
>> > > anybody objects to this change for the master branch (i.e. PHP 8.2).
>> > >
>> > > [1] <https://bugs.php.net/bug.php?id=81645>
>> > > [2] <https://github.com/php/php-src/pull/7676>
>> > >
>> > > Christoph
>> > >
>> > > --
>> > > PHP Internals - PHP Runtime Development Mailing List
>> > > To unsubscribe, visit: https://www.php.net/unsub.php
>> > >
>> > >
>> >
>>
>

--0000000000005a177b05d3d240a6--