From 57d99e3df24a9d3cf2cf63c8ee8196824cf7c82b Mon Sep 17 00:00:00 2001 From: Wes Mason Date: Sat, 24 Nov 2012 22:05:58 +0000 Subject: [PATCH 1/5] Fix bug #62524, only follow redirects in file streams for 3xx HTTP statuses. --- ext/standard/http_fopen_wrapper.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ext/standard/http_fopen_wrapper.c b/ext/standard/http_fopen_wrapper.c index 4939a742acdf3..111f995532ea2 100644 --- a/ext/standard/http_fopen_wrapper.c +++ b/ext/standard/http_fopen_wrapper.c @@ -731,7 +731,8 @@ php_stream *php_stream_url_wrap_http_ex(php_stream_wrapper *wrapper, char *path, http_header_line[http_header_line_length] = '\0'; if (!strncasecmp(http_header_line, "Location: ", 10)) { - if (context && php_stream_context_get_option(context, "http", "follow_location", &tmpzval) == SUCCESS) { + if (context && php_stream_context_get_option(context, "http", "follow_location", &tmpzval) == SUCCESS + && response_code >= 300 && response_code < 400) { SEPARATE_ZVAL(tmpzval); convert_to_long_ex(tmpzval); follow_location = Z_LVAL_PP(tmpzval); From fa20d951117cb45cbfdd0e860e5b9f2adb4d5777 Mon Sep 17 00:00:00 2001 From: Wes Mason Date: Tue, 15 Jan 2013 00:22:23 +0000 Subject: [PATCH 2/5] Move response_code check to higher priority before Location header check and exclude 304/305 responses --- ext/standard/http_fopen_wrapper.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/ext/standard/http_fopen_wrapper.c b/ext/standard/http_fopen_wrapper.c index 7ea1c9969dfe3..916750188a402 100644 --- a/ext/standard/http_fopen_wrapper.c +++ b/ext/standard/http_fopen_wrapper.c @@ -651,13 +651,15 @@ php_stream *php_stream_url_wrap_http_ex(php_stream_wrapper *wrapper, char *path, response_header = *rh; } + /* need to declare this here to compare along with Location header */ + int response_code; + if (!php_stream_eof(stream)) { size_t tmp_line_len; /* get response header */ if (php_stream_get_line(stream, tmp_line, sizeof(tmp_line) - 1, &tmp_line_len) != NULL) { zval *http_response; - int response_code; if (tmp_line_len > 9) { response_code = atoi(tmp_line + 9); @@ -731,8 +733,7 @@ php_stream *php_stream_url_wrap_http_ex(php_stream_wrapper *wrapper, char *path, http_header_line[http_header_line_length] = '\0'; if (!strncasecmp(http_header_line, "Location: ", 10)) { - if (context && php_stream_context_get_option(context, "http", "follow_location", &tmpzval) == SUCCESS - && response_code >= 300 && response_code < 400) { + if (response_code >= 300 && response_code < 304 && context && php_stream_context_get_option(context, "http", "follow_location", &tmpzval) == SUCCESS) { SEPARATE_ZVAL(tmpzval); convert_to_long_ex(tmpzval); follow_location = Z_LVAL_PP(tmpzval); From 6f86042fe0de5db71dd13002789442278dd63c0c Mon Sep 17 00:00:00 2001 From: Wes Mason Date: Tue, 15 Jan 2013 09:32:10 +0000 Subject: [PATCH 3/5] Add test for 307 HTTP status to Location handling in streams --- ext/standard/http_fopen_wrapper.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ext/standard/http_fopen_wrapper.c b/ext/standard/http_fopen_wrapper.c index 916750188a402..c484b6f5d83f8 100644 --- a/ext/standard/http_fopen_wrapper.c +++ b/ext/standard/http_fopen_wrapper.c @@ -733,7 +733,9 @@ php_stream *php_stream_url_wrap_http_ex(php_stream_wrapper *wrapper, char *path, http_header_line[http_header_line_length] = '\0'; if (!strncasecmp(http_header_line, "Location: ", 10)) { - if (response_code >= 300 && response_code < 304 && context && php_stream_context_get_option(context, "http", "follow_location", &tmpzval) == SUCCESS) { + /* we only care about Location for 300, 301, 302, 303 and 307 */ + /* see http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.3.1 */ + if (response_code >= 300 && response_code < 304 || 307 == response_code && context && php_stream_context_get_option(context, "http", "follow_location", &tmpzval) == SUCCESS) { SEPARATE_ZVAL(tmpzval); convert_to_long_ex(tmpzval); follow_location = Z_LVAL_PP(tmpzval); From 0eef4e056ab8e0036d314098287ca61d624007e7 Mon Sep 17 00:00:00 2001 From: Wes Mason Date: Tue, 15 Jan 2013 10:00:54 +0000 Subject: [PATCH 4/5] Make sure 30x header checks are done together, erp derp --- ext/standard/http_fopen_wrapper.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/standard/http_fopen_wrapper.c b/ext/standard/http_fopen_wrapper.c index c484b6f5d83f8..3cf67786aa6a6 100644 --- a/ext/standard/http_fopen_wrapper.c +++ b/ext/standard/http_fopen_wrapper.c @@ -735,7 +735,7 @@ php_stream *php_stream_url_wrap_http_ex(php_stream_wrapper *wrapper, char *path, if (!strncasecmp(http_header_line, "Location: ", 10)) { /* we only care about Location for 300, 301, 302, 303 and 307 */ /* see http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.3.1 */ - if (response_code >= 300 && response_code < 304 || 307 == response_code && context && php_stream_context_get_option(context, "http", "follow_location", &tmpzval) == SUCCESS) { + if ((response_code >= 300 && response_code < 304 || 307 == response_code) && context && php_stream_context_get_option(context, "http", "follow_location", &tmpzval) == SUCCESS) { SEPARATE_ZVAL(tmpzval); convert_to_long_ex(tmpzval); follow_location = Z_LVAL_PP(tmpzval); From 3999c0fac8d90f3cd2de09f61e28aebc0cbfa3dc Mon Sep 17 00:00:00 2001 From: Wes Mason Date: Tue, 15 Jan 2013 10:18:54 +0000 Subject: [PATCH 5/5] Move response_code declaration to top of php_stream_url_wrap_http_ex for C90 compatibility --- ext/standard/http_fopen_wrapper.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/ext/standard/http_fopen_wrapper.c b/ext/standard/http_fopen_wrapper.c index 3cf67786aa6a6..870f904e9c3e3 100644 --- a/ext/standard/http_fopen_wrapper.c +++ b/ext/standard/http_fopen_wrapper.c @@ -113,6 +113,7 @@ php_stream *php_stream_url_wrap_http_ex(php_stream_wrapper *wrapper, char *path, int redirected = ((flags & HTTP_WRAPPER_REDIRECTED) != 0); int follow_location = 1; php_stream_filter *transfer_encoding = NULL; + int response_code; tmp_line[0] = '\0'; @@ -651,9 +652,6 @@ php_stream *php_stream_url_wrap_http_ex(php_stream_wrapper *wrapper, char *path, response_header = *rh; } - /* need to declare this here to compare along with Location header */ - int response_code; - if (!php_stream_eof(stream)) { size_t tmp_line_len; /* get response header */