[wp-trac] [WordPress Trac] #37863: HTTP/1.1 defined header in wp-comments-post.php

WordPress Trac noreply at wordpress.org
Tue Aug 30 01:19:19 UTC 2016 

#37863: HTTP/1.1 defined header in wp-comments-post.php
--------------------------+--------------------------
 Reporter:  tnash         |       Owner:  johnbillion
     Type:  defect (bug)  |      Status:  reopened
 Priority:  normal        |   Milestone:  4.7
Component:  Comments      |     Version:  4.6
 Severity:  normal        |  Resolution:
 Keywords:                |     Focuses:
--------------------------+--------------------------
Changes (by kobashicomputing):

 * status:  closed => reopened
 * resolution:  fixed =>


Comment:

 Read my [original feedback to the support
 forum][https://wordpress.org/support/topic/wp-comments-postphp-
 http-version] for which the originator of this bug report decided to
 create a ticket for.

 The code above is wrong.

 1) Having a fallback to HTTP 1.0 is NEVER GUARANTEED to be supported on
 the HTTP server. The only way you as Wordpress is going to know what HTTP
 version is supported is through $_SERVER[SERVER_PROTOCOL]. Making the
 assumption that the HTTP server you are running on without even knowing it
 supports 1.0 is guessing.

 2) There is no future support in place with this code. The code above
 falls apart as newer HTTP versions come out (HTTP 2.01, HTTP 3, etc) which
 then results in returning HTTP 1.0 error messages.

 3) Further, <a href="https://tools.ietf.org/html/rfc2145#section-2.3">RFC
 2145 says</a>

 "An HTTP server SHOULD send a response version equal to the highest
 version for which the server is at least conditionally compliant, and
 whose major version is less than or equal to the one received in the
 request.  An HTTP server MUST NOT send a version for which it is not
 at least conditionally compliant.  A server MAY send a 505 (HTTP
 Version Not Supported) response if cannot send a response using the
 major version used in the client's request."

 You must trust what is returned in $_SERVER['SERVER_PROTOCOL'].

 <?php
 if ('POST' != $_SERVER['REQUEST_METHOD']) {
   header('Allow: POST');
   header($_SERVER['SERVER_PROTOCOL'] . ' 405 Method Not Allowed');
   header('Content-Type: text/plain');
   exit;
 }
 ?>

 If someone visits the post comment URL with different HTTP Methods
 (DELETE, GET, PUT, etc.) and you tell them you support HTTP 1.0, you are
 misleading them, especially if it is a service that now is going to think
 only HTTP 1.0 is the way to post comments.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/37863#comment:4>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list