diff options
| author | Arnaud Le Blanc <lbarnaud@php.net> | 2008-07-28 19:08:02 +0000 |
|---|---|---|
| committer | Arnaud Le Blanc <lbarnaud@php.net> | 2008-07-28 19:08:02 +0000 |
| commit | 0f9026daf9542b0735811381bcd677e1ad26364a (patch) | |
| tree | 7cc2fb57dbdedae8455e5351ac3242a1578e4347 | |
| parent | 49aa0feaae87434c2dee0979f30ca1d0496ae989 (diff) | |
| download | php-git-0f9026daf9542b0735811381bcd677e1ad26364a.tar.gz | |
MFH: When automatically redirecting an HTTP request, use the GET method when the
original method was not HEAD or GET (fixes #45540)
#
# The RFC says that in case of 3xx code, "The action required MAY be
# carried out [...] *only if the method used in the second request is GET or
# HEAD*".
#
# This may not break anything as actually POST requests replying
# with a Location header never worked as the redirecting request was sent using
# the POST method, but without Entity-Body (and without Content-Length header,
# which caused the server to reply with a "411 Length Required" or to treat
# the request as GET).
#
| -rw-r--r-- | NEWS | 1 | ||||
| -rw-r--r-- | ext/standard/http_fopen_wrapper.c | 15 |
2 files changed, 12 insertions, 4 deletions
@@ -253,6 +253,7 @@ PHP NEWS prop of wrapped object). (robin_fernandes at uk dot ibm dot com, Arnaud) - Fixed bug #45571 (ReflectionClass::export() shows superclasses' private static methods). (robin_fernandes at uk dot ibm dot com) +- Fixed bug #45540 (stream_context_create creates bad http request). (Arnaud) - Fixed bug #45430 (windows implementation of crypt is not thread safe). (Pierre) - Fixed bug #45345 (SPLFileInfo::getPathInfo() returning dir info instead of diff --git a/ext/standard/http_fopen_wrapper.c b/ext/standard/http_fopen_wrapper.c index a228dceaf9..56ce9117cd 100644 --- a/ext/standard/http_fopen_wrapper.c +++ b/ext/standard/http_fopen_wrapper.c @@ -252,10 +252,17 @@ php_stream *php_stream_url_wrap_http_ex(php_stream_wrapper *wrapper, char *path, if (context && php_stream_context_get_option(context, "http", "method", &tmpzval) == SUCCESS) { if (Z_TYPE_PP(tmpzval) == IS_STRING && Z_STRLEN_PP(tmpzval) > 0) { - scratch_len = strlen(path) + 29 + Z_STRLEN_PP(tmpzval); - scratch = emalloc(scratch_len); - strlcpy(scratch, Z_STRVAL_PP(tmpzval), Z_STRLEN_PP(tmpzval) + 1); - strcat(scratch, " "); + /* As per the RFC, automatically redirected requests MUST NOT use other methods than + * GET and HEAD unless it can be confirmed by the user */ + if (redirect_max == PHP_URL_REDIRECT_MAX + || (Z_STRLEN_PP(tmpzval) == 3 && memcmp("GET", Z_STRVAL_PP(tmpzval), 3) == 0) + || (Z_STRLEN_PP(tmpzval) == 4 && memcmp("HEAD",Z_STRVAL_PP(tmpzval), 4) == 0) + ) { + scratch_len = strlen(path) + 29 + Z_STRLEN_PP(tmpzval); + scratch = emalloc(scratch_len); + strlcpy(scratch, Z_STRVAL_PP(tmpzval), Z_STRLEN_PP(tmpzval) + 1); + strcat(scratch, " "); + } } } |