在 php 5.5.1/apache 2.4.6 中忽略带有下划线的标题名称

2022-01-17 00:00:00 http-headers php apache

升级到 php 5.5.1 和 apache 2.4.6 后,检查某些标头现在已损坏(特别是检查 HTTP_X_REQUESTED_WITH).

After upgrading to php 5.5.1 and apache 2.4.6, checking for certain headers is now broken (specifically, checking for HTTP_X_REQUESTED_WITH).

通过进一步的测试,我注意到任何包含下划线的自定义标头都会被忽略(我的意思是它不会出现在 PHP 的 $_SERVER 数组中).因此,如果我添加一个名为 my-header 的标头,它会以 $_SERVER['HTTP_MY_HEADER'] 的形式使用,但如果我尝试添加一个标头 my_header,它在 $_SERVER 中不可用.

Through further testing I noticed that any custom header that contains an underscore is ignored (by this I mean it does not show up in PHP's $_SERVER array). So if I add a header named my-header, it becomes available as $_SERVER['HTTP_MY_HEADER'], but if I try adding a header my_header, it's not available in $_SERVER.

推荐答案

这是 apache 2.4 中记录的功能.请参阅 httpd.apache.org/docs/trunk/new_features_2_4.html

This is a documented feature in apache 2.4. See httpd.apache.org/docs/trunk/new_features_2_4.html

将标头转换为环境变量比在通过以下方式减轻一些可能的跨站点脚本攻击之前标头注入.包含无效字符的标头(包括下划线)现在被静默删除.

Translation of headers to environment variables is more strict than before to mitigate some possible cross-site-scripting attacks via header injection. Headers containing invalid characters (including underscores) are now silently dropped.

相关文章