- sapi_header_op(SAPI_HEADER_(REPLACE|ADD), {NULL, 0, 0}) caused HTTP response splitting

- sapi_send_headers() already takes care of default_content_type (left over of fix for bug #29983)

diff --git a/main/SAPI.c b/main/SAPI.c
index 94e924c626d725b2d07f5332860306322936448c..480932fd8a4f390bb2f03741cf7222da0c771e9a 100644 (file)
--- a/main/SAPI.c
+++ b/main/SAPI.c
@@ -545,6 +545,10 @@ SAPI_API int sapi_header_op(sapi_header_op_enum op, void *arg TSRMLS_DC)
        case SAPI_HEADER_REPLACE:
        case SAPI_HEADER_ADD: {
                sapi_header_line *p = arg;
+               
+               if (!p->line || !p->line_len) {
+                       return FAILURE;
+               }
                header_line = p->line;
                header_line_len = p->line_len;
                http_response_code = p->response_code;

diff --git a/sapi/cgi/cgi_main.c b/sapi/cgi/cgi_main.c
index 7597bff7a6d26c1bc31c2460c0e9e785fff82d5a..a912da7eff9ee2e4cecd31e68b7f86e0ba6e379a 100644 (file)
--- a/sapi/cgi/cgi_main.c
+++ b/sapi/cgi/cgi_main.c
@@ -331,21 +331,13 @@ static int sapi_cgi_send_headers(sapi_headers_struct *sapi_headers TSRMLS_DC)
                PHPWRITE_H(buf, len);
        }
 
-       if (SG(sapi_headers).send_default_content_type)
-       {
-               char *hd;
-
-               hd = sapi_get_default_content_type(TSRMLS_C);
-               PHPWRITE_H("Content-type: ", sizeof("Content-type: ") - 1);
-               PHPWRITE_H(hd, strlen(hd));
-               PHPWRITE_H("\r\n", 2);
-               efree(hd);
-       }
-
        h = zend_llist_get_first_ex(&sapi_headers->headers, &pos);
        while (h) {
-               PHPWRITE_H(h->header, h->header_len);
-               PHPWRITE_H("\r\n", 2);
+               /* prevent CRLFCRLF */
+               if (h->header_len) {
+                       PHPWRITE_H(h->header, h->header_len);
+                       PHPWRITE_H("\r\n", 2);
+               }
                h = zend_llist_get_next_ex(&sapi_headers->headers, &pos);
        }
        PHPWRITE_H("\r\n", 2);