Project

General

Profile

Bug #2918

lighttpd is not obeying the http status code sent by our application (302 sent by lighttpd when 301 is sent by application)

Added by shochodev about 1 month ago. Updated 28 days ago.

Status:
Fixed
Priority:
Normal
Assignee:
-
Category:
core
Target version:
Start date:
2018-11-14
Due date:
% Done:

100%

Estimated time:
Missing in 1.5.x:

Description

Our server was updated to lighttpd 1.4.51 by our webhost automatically. We noticed that our website began serving "302 Found" headers when we are redirecting users on our site. We use PHP 5.6.38 and serve redirects explicitly as "301 Moved Permanently" for search engines. Now those same redirects are being sent as "302 Found". After a lot of digging, we noticed our application layer (PHP) is serving all request properly and lighttpd is ignoring the status code sent. Our testing/dev servers are running lighttpd 1.4.50 and are serving the correct status code sent by out application layer.

The code we are having issues with can be summed up as simply as:

<?php
header("Location: https://www.google.com", true, 301);
exit;

The curl response received when running this code on lighttpd 1.4.51 is:
curl -Ik "https://127.0.0.1/test.php" 
HTTP/1.1 302 Found
Content-Type: text/html; charset=utf-8
Set-Cookie: PHPSESSID=rhvmgnnjd4ol6uprhb5hsgc7r7; path=/; secure; HttpOnly
Set-Cookie: php-session-id=rhvmgnnjd4ol6uprhb5hsgc7r7; path=/; secure
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: https://www.google.com/
Date: Wed, 14 Nov 2018 15:28:28 GMT
Server: lighttpd/1.4.51

The expected response that is returned on lighttpd 1.4.50 is:

curl -Ik "http://127.0.0.1/test.php" 
HTTP/1.1 301 Moved Permanently
Content-Type: text/html; charset=utf-8
Set-Cookie: PHPSESSID=gdorigaj8dfuhs26qnoan56gh4; path=/; HttpOnly
Set-Cookie: php-session-id=gdorigaj8dfuhs26qnoan56gh4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: https://www.google.com/
Date: Wed, 14 Nov 2018 16:43:23 GMT
Server: lighttpd/1.4.39

The code also fails with the following:

<?php
header("HTTP/1.1 301 Moved Permanently");
exit;

The curl response received when running this code on lighttpd 1.4.51 is:

curl -Ik "https://127.0.0.1/test.php" 
HTTP/1.1 302 Found
Content-Type: text/html; charset=utf-8
Set-Cookie: PHPSESSID=5obdneg9rr9a8g617jmr0p4b47; path=/; secure; HttpOnly
Set-Cookie: php-session-id=5obdneg9rr9a8g617jmr0p4b47; path=/; secure
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: http://127.0.0.1/test.php
Date: Wed, 14 Nov 2018 16:33:53 GMT
Server: lighttpd/1.4.51

The expected response that is returned on lighttpd 1.4.50 is:

curl -Ik "http://127.0.0.1/test.php"                  

HTTP/1.1 301 Moved Permanently
X-Server-Host: testing-dev-01
Content-Type: text/html; charset=utf-8
Set-Cookie: PHPSESSID=d8t9gkeq50tqq30qvbgd7thpp3; path=/; HttpOnly
Set-Cookie: php-session-id=d8t9gkeq50tqq30qvbgd7thpp3; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Date: Wed, 14 Nov 2018 16:40:27 GMT
Server: lighttpd/1.4.39

Associated revisions

Revision 41b50cfa (diff)
Added by gstrauss 30 days ago

[core] fix 301 -> 302 overwrite with Location (fixes #2918)

fix bug resulting in status code being overwritten from 301 to 302 if
Location response header is returned by a backend which is not mod_proxy

(regression in lighttpd 1.4.51)

(thx shochodev)

x-ref:
"lighttpd is not obeying the http status code sent by our application (302 sent by lighttpd when 301 is sent by application)"
https://redmine.lighttpd.net/issues/2918

History

#1

Updated by gstrauss 30 days ago

  • Category set to core
  • Status changed from New to Patch Pending
  • Target version changed from 1.4.x to 1.4.52

Sorry. Looks like setting a flag was missed. This should fix it for you.

--- a/src/http-header-glue.c
+++ b/src/http-header-glue.c
@@ -925,6 +925,7 @@ static int http_response_process_headers(server *srv, connection *con, http_resp
                 status = strtol(value, NULL, 10);
                 if (status >= 100 && status < 1000) {
                     con->http_status = status;
+                    status_is_set = 1;
                 } else {
                     con->http_status = 502;
                     con->mode = DIRECT;

#2

Updated by shochodev 30 days ago

Awesome! Thank you for addressing this quickly. We have decided to downgrade our lighttpd version to 1.4.50 for now and will update once 1.4.52 rolls out with the fix.

#3

Updated by gstrauss 28 days ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100

Also available in: Atom