Bug #2918
closedlighttpd is not obeying the http status code sent by our application (302 sent by lighttpd when 301 is sent by application)
Description
Our server was updated to lighttpd 1.4.51 by our webhost automatically. We noticed that our website began serving "302 Found" headers when we are redirecting users on our site. We use PHP 5.6.38 and serve redirects explicitly as "301 Moved Permanently" for search engines. Now those same redirects are being sent as "302 Found". After a lot of digging, we noticed our application layer (PHP) is serving all request properly and lighttpd is ignoring the status code sent. Our testing/dev servers are running lighttpd 1.4.50 and are serving the correct status code sent by out application layer.
The code we are having issues with can be summed up as simply as:
<?php
header("Location: https://www.google.com", true, 301);
exit;
The curl response received when running this code on lighttpd 1.4.51 is:
curl -Ik "https://127.0.0.1/test.php"
HTTP/1.1 302 Found
Content-Type: text/html; charset=utf-8
Set-Cookie: PHPSESSID=rhvmgnnjd4ol6uprhb5hsgc7r7; path=/; secure; HttpOnly
Set-Cookie: php-session-id=rhvmgnnjd4ol6uprhb5hsgc7r7; path=/; secure
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: https://www.google.com/
Date: Wed, 14 Nov 2018 15:28:28 GMT
Server: lighttpd/1.4.51
The expected response that is returned on lighttpd 1.4.50 is:
curl -Ik "http://127.0.0.1/test.php"
HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=utf-8
Set-Cookie: PHPSESSID=gdorigaj8dfuhs26qnoan56gh4; path=/; HttpOnly
Set-Cookie: php-session-id=gdorigaj8dfuhs26qnoan56gh4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: https://www.google.com/
Date: Wed, 14 Nov 2018 16:43:23 GMT
Server: lighttpd/1.4.39
The code also fails with the following:
<?php
header("HTTP/1.1 301 Moved Permanently");
exit;
The curl response received when running this code on lighttpd 1.4.51 is:
curl -Ik "https://127.0.0.1/test.php"
HTTP/1.1 302 Found
Content-Type: text/html; charset=utf-8
Set-Cookie: PHPSESSID=5obdneg9rr9a8g617jmr0p4b47; path=/; secure; HttpOnly
Set-Cookie: php-session-id=5obdneg9rr9a8g617jmr0p4b47; path=/; secure
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: http://127.0.0.1/test.php
Date: Wed, 14 Nov 2018 16:33:53 GMT
Server: lighttpd/1.4.51
The expected response that is returned on lighttpd 1.4.50 is:
curl -Ik "http://127.0.0.1/test.php"
HTTP/1.1 301 Moved Permanently
X-Server-Host: testing-dev-01
Content-Type: text/html; charset=utf-8
Set-Cookie: PHPSESSID=d8t9gkeq50tqq30qvbgd7thpp3; path=/; HttpOnly
Set-Cookie: php-session-id=d8t9gkeq50tqq30qvbgd7thpp3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Date: Wed, 14 Nov 2018 16:40:27 GMT
Server: lighttpd/1.4.39
Updated by gstrauss over 5 years ago
- Category set to core
- Status changed from New to Patch Pending
- Target version changed from 1.4.x to 1.4.52
Sorry. Looks like setting a flag was missed. This should fix it for you.
--- a/src/http-header-glue.c
+++ b/src/http-header-glue.c
@@ -925,6 +925,7 @@ static int http_response_process_headers(server *srv, connection *con, http_resp
status = strtol(value, NULL, 10);
if (status >= 100 && status < 1000) {
con->http_status = status;
+ status_is_set = 1;
} else {
con->http_status = 502;
con->mode = DIRECT;
Updated by shochodev over 5 years ago
Awesome! Thank you for addressing this quickly. We have decided to downgrade our lighttpd version to 1.4.50 for now and will update once 1.4.52 rolls out with the fix.
Updated by gstrauss over 5 years ago
- Status changed from Patch Pending to Fixed
- % Done changed from 0 to 100
Applied in changeset 41b50cfa713dbb037e29cbc1dc27680e9df017b1.
Also available in: Atom