On Thu, 23 Dec 2021, 00:06 David Gebler, <davidgeb...@gmail.com> wrote:
> On Tue, Dec 21, 2021 at 6:59 PM Christoph M. Becker <cmbecke...@gmx.de> > wrote: > > > Hi all, > > > > a while ago it has been reported[1] that our header() function actually > > allows arbitrary status codes, which may even overflow. Of course, that > > makes no sense, since the status code is supposed to be a three digit > > code. So this ticket has been followed up by a pull request[2], and > > Jakub suggested to further restrict the status code to be in range 100 - > > 599. > > > > Personally, I don't like restricting the status code to a number in the > 100-599 range. As far as I know, RFC 7230 doesn't mandate anything beyond > the requirement of 3 digits and while 7231 may only specify semantics for > 1xx-5xx, that doesn't mean there isn't a legitimate use-case in custom or > internal applications for status codes outside the usual semantics. > > The overflow part is a legit bug which can and should be fixed, but I'd at > least question whether a user should be obliged to stick to conventional > HTTP semantics via the header() function, or even a strictly conformant > implementation of the standards defined 7320. Maybe this behaviour could be > default but overridable via a new, fourth optional parameter or something, > I don't know...but I can easily imagine someone having a legitimate context > in which they want to send status codes outside the usual range > representing custom semantics. > I think its safe to say we should restrict the overflow parts. As for boundaries; I don't know who is or isn't using their own custom status codes. It's unlikely, but entirely possible. As such, this is considered a BC break. If we apply restrictions to a minor release, then upgrading will be harder for 8.2 if we include this in the next release. You could say 98% of people are using standard ranges for status codes, but we do have to always take into account the 2% on our decisions. Thanks. > > > > > Since this could break some pathological cases, I wanted to ask whether > > anybody objects to this change for the master branch (i.e. PHP 8.2). > > > > [1] <https://bugs.php.net/bug.php?id=81645> > > [2] <https://github.com/php/php-src/pull/7676> > > > > Christoph > > > > -- > > PHP Internals - PHP Runtime Development Mailing List > > To unsubscribe, visit: https://www.php.net/unsub.php > > > > >
