[wp-trac] Re: [WordPress Trac] #3886: wrong server protocol for
HTTP/1.0 requests resulting in uninterpreted chunked encoding
WordPress Trac
wp-trac at lists.automattic.com
Thu May 10 15:13:05 GMT 2007
#3886: wrong server protocol for HTTP/1.0 requests resulting in uninterpreted
chunked encoding
-----------------------+----------------------------------------------------
Reporter: abtime | Owner: anonymous
Type: defect | Status: new
Priority: high | Milestone: 2.2
Component: General | Version: 2.1.1
Severity: major | Resolution:
Keywords: has-patch |
-----------------------+----------------------------------------------------
Comment (by azza-bazoo):
Replying to [comment:9 ryan]:
> Is SERVER_PROTOCOL trusthworty. If not we open ourselves to header
injection.
I believe it is, but haven't checked the PHP source code. Maybe use this
code instead, since I don't think there's any software in the wild still
using HTTP/0.9:
{{{
if ( version_compare(phpversion(), '4.3.0', '>=') )
if ( $_SERVER["SERVER_PROTOCOL"] == "HTTP/1.1" )
@header("HTTP/1.1 $header $text", true, $header);
else
@header("HTTP/1.0 $header $text", true, $header);
else
if ( $_SERVER["SERVER_PROTOCOL"] == "HTTP/1.1" )
@header("HTTP/1.1 $header $text");
else
@header("HTTP/1.0 $header $text");
}}}
Also, I'd suggest that a fix be put into WP 2.1.4 rather than waiting for
2.2, if that's possible?
--
Ticket URL: <http://trac.wordpress.org/ticket/3886#comment:10>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list