Skip to content

Update to PHP 8.5#104

Merged
MDA2AV merged 1 commit intoMDA2AV:mainfrom
joanhey:php-update
Apr 1, 2026
Merged

Update to PHP 8.5#104
MDA2AV merged 1 commit intoMDA2AV:mainfrom
joanhey:php-update

Conversation

@joanhey
Copy link
Copy Markdown
Contributor

@joanhey joanhey commented Mar 31, 2026
edited
Loading

The PHP CLI server is only for develop.
It isn't for production.

In my own tests fail a lot with http standards at return code values.

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Mar 31, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 1, 2026

Http11Probe — Compliance Comparison

Server Score
PHP 112/161 ██████████████░░░░░░ 70%

✅ Baseline Passed

Compliance

Test Expected PHP
BASELINE 2xx 200
BARE-LF-REQUEST-LINE 400 or close (pass), 2xx (warn) ⚠️200
BARE-LF-HEADER 400 or close (pass), 2xx (warn) ⚠️200
OBS-FOLD 400 200
SP-BEFORE-COLON 400 200
MULTI-SP-REQUEST-LINE 400 or 2xx; close/timeout = warn ⚠️200
MISSING-HOST 400 200
INVALID-VERSION 400/505, close, or timeout = warn 200
EMPTY-HEADER-NAME 400 or close ClosedByServer
CR-ONLY-LINE-ENDING 400, close, or timeout = warn ⚠️ClosedByServer
MISSING-TARGET 400, close, or timeout = warn ⚠️ClosedByServer
FRAGMENT-IN-TARGET 400 or 2xx; 404 = warn ⚠️200
HTTP09-REQUEST 400/close/timeout TimedOut
INVALID-HEADER-NAME 400 or close ClosedByServer
HEADER-NO-COLON 400 or close 200
DUPLICATE-HOST 400 200
CL-NON-NUMERIC 400 or close ClosedByServer
CL-PLUS-SIGN 400 or close ClosedByServer
WHITESPACE-BEFORE-HEADERS 400 or close 200
DUPLICATE-HOST-SAME 400 200
HOST-WITH-USERINFO 400 or close 200
HOST-WITH-PATH 400 or close 200
ASTERISK-WITH-GET 400, close, or timeout = warn 200
OPTIONS-STAR 2xx or 405; close/timeout = warn 200
UNKNOWN-TE-501 400/501 or close 200
LEADING-CRLF 400 or 2xx; close/timeout = warn ⚠️200
ABSOLUTE-FORM 2xx preferred; 400/close/timeout = warn 200
METHOD-CASE 400/405/501 or 2xx; close/timeout = warn ⚠️ClosedByServer
POST-CL-BODY 2xx + echo 200
POST-CL-ZERO 2xx or close 200
POST-NO-CL-NO-TE 2xx or close 200
POST-CL-UNDERSEND 400/close/timeout TimedOut
CHUNKED-BODY 2xx + echo 200
CHUNKED-MULTI 2xx + echo 200
CHUNKED-EMPTY 2xx or close 200
CHUNKED-NO-FINAL 400/close/timeout TimedOut
METHOD-CONNECT 400/405/501 or close 200
EXPECT-UNKNOWN 417 or 2xx ⚠️200
GET-WITH-CL-BODY 400 or 2xx ⚠️200
CHUNKED-EXTENSION 2xx preferred; 400 warns 200
METHOD-TRACE 405/501 or 2xx ⚠️200
HOST-EMPTY-VALUE 400 or close 200
REQUEST-LINE-TAB 400 or 2xx; close/timeout = warn ⚠️ClosedByServer
VERSION-MISSING-MINOR 400, close, or timeout = warn ⚠️ClosedByServer
VERSION-LEADING-ZEROS 400, close, or timeout = warn ⚠️ClosedByServer
VERSION-WHITESPACE 400, close, or timeout = warn ⚠️ClosedByServer
CONNECTION-CLOSE 2xx + close 200
HTTP10-DEFAULT-CLOSE 2xx + close 200
HTTP10-NO-HOST 200 or 400 ⚠️200
HTTP12-VERSION 200 or 505 ⚠️200
TRACE-WITH-BODY 400/405 or 200 ⚠️200
CHUNKED-TRAILER-VALID 2xx + echo 200
CHUNKED-HEX-UPPERCASE 2xx + echo 200
RANGE-POST 2xx (Range ignored) 200
HEAD-NO-BODY 2xx with no body 200
UNKNOWN-METHOD 501/405/400 or close 501
405-ALLOW 405 + Allow header ⚠️200
DATE-HEADER 2xx with Date header 200
DATE-FORMAT IMF-fixdate format 200
NO-1XX-HTTP10 non-1xx response 200
NO-CL-IN-204 204 without CL, or 405 ⚠️200
OPTIONS-ALLOW 2xx with Allow header, or 405 ⚠️200
CONTENT-TYPE 2xx with Content-Type 200
VERSION-CASE 400, close, or timeout = warn ⚠️ClosedByServer
LONG-URL-OK not 414; close/timeout = warn 200
SPACE-IN-TARGET 400, close, or timeout = warn ⚠️ClosedByServer
DUPLICATE-CT 400 or 2xx ⚠️200
TRACE-SENSITIVE 405/501, or 200 without Auth 200
RANGE-INVALID 200 or 416 200
ACCEPT-NONSENSE 406 or 2xx ⚠️200
POST-UNSUPPORTED-CT 415 or 2xx 200

Smuggling

Test Expected PHP
CL-TE-BOTH 400 or 2xx ⚠️200
DUPLICATE-CL 400 or close 200
CL-LEADING-ZEROS 400 or 2xx ⚠️200
TE-XCHUNKED 400/501 or close 200
TE-TRAILING-SPACE 400/501 or 2xx+close ClosedByServer
TE-SP-BEFORE-COLON 400 or close ClosedByServer
CL-NEGATIVE 400 or close ClosedByServer
CLTE-PIPELINE 400 or close preferred; 2xx acceptable 200
TECL-PIPELINE 400 or close preferred; 2xx acceptable 200
CL-TRAILING-SPACE 400 or 2xx ⚠️200
TE-DOUBLE-CHUNKED 400 or 2xx ⚠️200
CL-EXTRA-LEADING-SP 400 or 2xx ⚠️200
TE-CASE-MISMATCH 400 or 2xx ClosedByServer
CL-COMMA-DIFFERENT 400 or close ClosedByServer
TE-NOT-FINAL-CHUNKED 400 or close ClosedByServer
TE-HTTP10 400 or close ClosedByServer
CHUNK-BARE-SEMICOLON 400 or close 200
CHUNK-EXT-INVALID-TOKEN 400 or close 200
BARE-CR-HEADER-VALUE 400 or close 200
CL-OCTAL 400 or close ClosedByServer
CHUNK-UNDERSCORE 400 or close ClosedByServer
TE-EMPTY-VALUE 400 or close 200
TE-LEADING-COMMA 400 or 2xx ⚠️200
TE-DUPLICATE-HEADERS 400 or close ClosedByServer
CHUNK-HEX-PREFIX 400 or close ClosedByServer
CHUNK-SIZE-PLUS 400 or close ClosedByServer
CHUNK-SIZE-TRAILING-OWS 400 or close 200
CL-HEX-PREFIX 400 or close ClosedByServer
CL-INTERNAL-SPACE 400 or close 200
CHUNK-LEADING-SP 400 or close ClosedByServer
CHUNK-MISSING-TRAILING-CRLF 400 or close ClosedByServer
CHUNK-EXT-LF 400 or 2xx TimedOut
CHUNK-SPILL 400 or close ClosedByServer
CHUNK-LF-TERM 400 or 2xx ClosedByServer
CHUNK-EXT-CTRL 400 or close 200
CHUNK-EXT-CR 400 or close ClosedByServer
TE-VTAB 400 or close 200
TE-FORMFEED 400 or close 200
TE-NULL 400 or close 200
CHUNK-LF-TRAILER 400 or 2xx ⚠️200
TE-IDENTITY 400/501 or close 200
CHUNK-NEGATIVE 400 or close ClosedByServer
TRANSFER_ENCODING 400 or 2xx ⚠️200
CL-COMMA-SAME 400 or 2xx ClosedByServer
CL-COMMA-TRIPLE 400 or 2xx ClosedByServer
CHUNKED-WITH-PARAMS 400 or 2xx ⚠️200
EXPECT-100-CL 400 or 2xx ⚠️200
TRAILER-CL 400 or 2xx ⚠️200
TRAILER-TE 400 or 2xx ⚠️200
TRAILER-HOST 400 or 2xx ⚠️200
TRAILER-AUTH 400 or 2xx ⚠️200
HEAD-CL-BODY 400 or 2xx ⚠️200
OPTIONS-CL-BODY 400/405 or 2xx ⚠️200
CL-UNDERSCORE 400 or close ClosedByServer
CL-NEGATIVE-ZERO 400 or close ClosedByServer
CL-DOUBLE-ZERO 400 or 2xx ⚠️200
CL-LEADING-ZEROS-OCTAL 400 or 2xx ⚠️200
TE-OBS-FOLD 400 or 2xx+close ⚠️200
TE-TRAILING-COMMA 400 or 2xx ⚠️200
TE-TAB-BEFORE-VALUE 400 or 2xx ⚠️200
ABSOLUTE-URI-HOST-MISMATCH 400 or 2xx ⚠️200
MULTIPLE-HOST-COMMA 400 or close 200
CHUNK-BARE-CR-TERM 400 or close ClosedByServer
TRAILER-CONTENT-TYPE 400 or 2xx ⚠️200
CLTE-CONN-CLOSE 400, or 2xx + close 200
TECL-CONN-CLOSE 400, or 2xx + close 200
CLTE-DESYNC 400, or close 200
CLTE-SMUGGLED-GET 400, or close (no extra response) ClosedByServer
CLTE-SMUGGLED-GET-CL-PLUS 400, or close (no extra response) ClosedByServer
CLTE-SMUGGLED-GET-CL-NON-NUMERIC 400, or close (no extra response) ClosedByServer
CLTE-SMUGGLED-GET-TE-OBS-FOLD 400, or close (no extra response) 200
CLTE-SMUGGLED-HEAD 400, or close (no extra response) ClosedByServer
CLTE-SMUGGLED-GET-TE-TRAILING-SPACE 400, or close (no extra response) ClosedByServer
CLTE-SMUGGLED-GET-TE-LEADING-COMMA 400, or close (no extra response) 200
CLTE-SMUGGLED-GET-TE-CASE-MISMATCH 400, or close (no extra response) ClosedByServer
TE-DUPLICATE-HEADERS-SMUGGLED-GET 400, or close (no extra response) ClosedByServer
TECL-SMUGGLED-GET 400, or close (no extra response) 200
DUPLICATE-CL-SMUGGLED-GET 400, or close (no extra response) 200
GET-CL-PREFIX-DESYNC 400/close preferred; extra response on step 2 = warn 200
TECL-DESYNC 400, or close 200
CL0-BODY-POISON 400/close preferred; poisoned follow-up = warn 200
GET-CL-BODY-DESYNC 400/close/pass-through; poisoned follow-up = warn 200
OPTIONS-CL-BODY-DESYNC 400/close/pass-through; poisoned follow-up = warn 200
EXPECT-100-CL-DESYNC 417/400/close preferred; poisoned follow-up = warn 200
OPTIONS-TE-OBS-FOLD 400, or 2xx + close 200
CHUNK-INVALID-SIZE-DESYNC 400, or close ClosedByServer
PIPELINE-SAFE 2xx + 2xx ⚠️200

Malformed Input

Test Expected PHP
BINARY-GARBAGE 400/close/timeout ClosedByServer
LONG-URL 400/414/431 or close ClosedByServer
LONG-HEADER-VALUE 400/431 or close ClosedByServer
MANY-HEADERS 400/431 or close ClosedByServer
NUL-IN-URL 400 or close ClosedByServer
CONTROL-CHARS-HEADER 400 or close 200
INCOMPLETE-REQUEST 400/close/timeout TimedOut
EMPTY-REQUEST 400/close/timeout TimedOut
LONG-HEADER-NAME 400/431 or close ClosedByServer
LONG-METHOD 400 or close ClosedByServer
NON-ASCII-HEADER-NAME 400 or close ClosedByServer
NON-ASCII-URL 400 or close ClosedByServer
CL-OVERFLOW 400 or close TimedOut
WHITESPACE-ONLY-LINE 400/close/timeout ClosedByServer
NUL-IN-HEADER-VALUE 400 or close 200
CHUNK-SIZE-OVERFLOW 400 or close ClosedByServer
H2-PREFACE 400/505/close/timeout Error
CL-EMPTY 400 or close Error
CL-TAB-BEFORE-VALUE 400 or 2xx Error
URL-BACKSLASH 400 or 2xx/404 Error
URL-OVERLONG-UTF8 400 or close Error
URL-PERCENT-NULL 400 or 2xx/404 Error
URL-PERCENT-CRLF 400 or 2xx/404 Error
CHUNK-EXT-64K 400 or 2xx Error
RANGE-OVERLAPPING 200/206/400/416 Error
POST-CL-HUGE-NO-BODY 400/close/timeout Error

Header Normalization

Test Expected PHP
UNDERSCORE-CL Reject/drop (pass), normalize (fail), preserve (warn) Error
SP-BEFORE-COLON-CL Reject/drop (pass), normalize (fail), preserve (warn) Error
TAB-IN-NAME Reject/drop (pass), normalize (fail), preserve (warn) Error
CASE-TE Reject/drop (pass), normalize casing (fail), preserve (warn) Error
UNDERSCORE-TE Reject/drop (pass), normalize (fail), preserve (warn) Error

Commit: b941345

@MDA2AV MDA2AV merged commit 1d3c623 into MDA2AV:main Apr 1, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@joanhey @MDA2AV