Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:55314
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Received-SPF: error (pb1.pair.com: domain negyesi.net from 209.85.216.170 cause and error)
MIME-Version: 1.0
In-Reply-To: <004601cc6e4b$9dd7a620$d986f260$@php.net>
References: <CAOfzkkxYakK5p3bqZ5Z5wr-yxy+xga=1H+ZLpgT0Qo6euNRrhw@mail.gmail.com>
 <004601cc6e4b$9dd7a620$d986f260$@php.net>
Date: Thu, 8 Sep 2011 11:17:57 -0700
Message-ID: <CAOfzkkwR-VMe4sF9LdRj9xzcqYabLd_T_dxvbkNwyXEsytV_Jw@mail.gmail.com>
To: Uwe Schindler <thetaphi@php.net>
Cc: Internals <internals@lists.php.net>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] Are all HTTP headers registered in SERVER?
From: karoly@negyesi.net (Karoly Negyesi)

On Thu, Sep 8, 2011 at 10:20 AM, Uwe Schindler <thetaphi@php.net> wrote:
> Hi,
>
>> It seems to be the case but this is not documented anywhere on php.net.
>> Instead http://php.net/manual/en/function.apache-request-headers.php say
>> "You can also get at the value of the common CGI variables by reading th=
em
>> from the environment".
>
> For the environment is no longer true, most multi-threaded webservers don=
't
> have separate environments for every thread (because they can't). You sho=
uld
> only use $_SERVER! The global $_ENV is only safe to use in php-cli, where

OK, OK. this comment then definitely needs expansion. I didnt even
realize it was about $_ENV...

> Thanks for pointing that out. Yes, I wrote that NSAPI code and the main i=
dea
> was to reflect the HTTP_ server/env variables as Apache / CGI spec does. =
I
> know many other SAPIs don't take care and they are broken for lots of
> applications because of this. Insufficient knowledge on the APIs of those
> SAPIs prevented me from fixing it there, too.>

> I programmed the converter in the NSAPI SAPI that
> takes all request headers and transform them to CGI variables. It should
> also handle "X-" headers correctly (transformed to "HTTP_X_").
>
>> So... is this official enough that I can amend the
> reserved.variables.server.php
>> and the function.apache-request-headers.php pages stating that every HTT=
P
>> header including custom ones can be found In SERVER =A0(with the odd
> security
>> exceptions)?
>
> Theoretically that should be the case, but it isn't for most older SAPIs,
> which are partly unmaintained. Also, only NSAPI and ISAPI (as far as I kn=
ow)
> mimic apache_request_headers, this is not part of SAPI spec. The function=
 is
> not available in every SAPI.

So then how we should proceed with augmenting documentation esp in the
light of Zend / Symfony already relying on these headers? The CGI
specs (horribly old) say
http://tools.ietf.org/html/draft-robinson-www-interface-00

The server is not required to create environment variables for all the
headers that it receives. In particular, it may remove any headers
carrying authentication information, it may remove headers whose value
is available to the script via other variables

but it does not say further that "the rest should be created". I tried
to check for example the nginx fastcgi documentation itself which
superb terse   http://wiki.nginx.org/HttpFcgiModule#fastcgi_pass_header
and doesnt say which ones are passed by default. A few rows down it
says "Determines whether the request headers are passed to the backend
as HTTP_* values. Should generally be left on." but -- really opaque.

Should the documentation say something like "It's reasonable to expect
all custom HTTP headers to be found in $_SERVER but there are a few
web servers where this is broken"?

Regards

NK