Fix #81305: Built-in Webserver Drops Requests With "Upgrade" Header

While our HTTP parser supports upgrade requests, the code using it does not. Since upgrade requests are only valid for HTTP/1.1 and we neither support any higher version, nor HTTPS yet, we do not exit early in case of such requests, i.e. we ignore them, what is allowed by the specs. We keep the supporting code in case we can meaningfully support upgrade requests in the future. Closes GH-7316.
2025-08-15 21:48:51 +02:00 · 2021-07-29 12:19:35 +02:00 · 2021-07-29 12:19:35 +02:00 · d1ccb5bd0c
commit d1ccb5bd0c
parent 98049e8b9a
3 changed files with 43 additions and 0 deletions
--- a/2
+++ b/2
@ -6,6 +6,8 @@ PHP                                                                        NEWS
  . Fixed bug #72595 (php_output_handler_append illegal write access). (cmb)
  . Fixed bug #66719 (Weird behaviour when using get_called_class() with
    call_user_func()). (Nikita)
+  . Fixed bug #81305 (Built-in Webserver Drops Requests With "Upgrade" Header).
+    (cmb)

 - BCMath:
  . Fixed bug #78238 (BCMath returns "-0"). (cmb)
--- a/sapi/cli/php_http_parser.c
+++ b/sapi/cli/php_http_parser.c
@ -1339,11 +1339,16 @@ size_t php_http_parser_execute (php_http_parser *parser,
          }
        }

+        /* We cannot meaningfully support upgrade requests, since we only
+         * support HTTP/1 for now.
+         */
+#if 0
        /* Exit, the rest of the connect is in a different protocol. */
        if (parser->upgrade) {
          CALLBACK2(message_complete);
          return (p - data);
        }
+#endif

        if (parser->flags & F_SKIPBODY) {
          CALLBACK2(message_complete);
--- a/sapi/cli/tests/bug81305.phpt
+++ b/sapi/cli/tests/bug81305.phpt
@ -0,0 +1,36 @@
+--TEST--
+Bug #81305 (Built-in Webserver Drops Requests With "Upgrade" Header)
+--SKIPIF--
+<?php
+include "skipif.inc";
+?>
+--FILE--
+<?php
+include "php_cli_server.inc";
+php_cli_server_start();
+
+$host = PHP_CLI_SERVER_HOSTNAME;
+$fp = php_cli_server_connect();
+
+if (fwrite($fp, <<<HEADER
+GET / HTTP/1.1
+Host: {$host}
+Upgrade: HTTP/2.0
+Connection: upgrade
+
+
+HEADER)) {
+	fpassthru($fp);
+}
+
+fclose($fp);
+?>
+--EXPECTF--
+HTTP/1.1 200 OK
+Host: %s
+Date: %s
+Connection: close
+X-Powered-By: PHP/%s
+Content-type: text/html; charset=UTF-8
+
+Hello world