From: Michael Wallner <mike@php.net>
Date: Wed, 2 Nov 2005 14:27:02 +0000 (+0000)
Subject: - sapi_header_op(SAPI_HEADER_(REPLACE|ADD), {NULL, 0, 0}) caused HTTP response splitting
X-Git-Tag: RELEASE_2_0_1~70
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=ab95f1981ca0b914d08bd57069c37f1084a5ea05;p=php

- sapi_header_op(SAPI_HEADER_(REPLACE|ADD), {NULL, 0, 0}) caused HTTP response splitting
- sapi_send_headers() already takes care of default_content_type (left over of fix for bug #29983)
---

diff --git a/main/SAPI.c b/main/SAPI.c
index d2347f050b..86fb2de884 100644
--- a/main/SAPI.c
+++ b/main/SAPI.c
@@ -567,6 +567,10 @@ SAPI_API int sapi_header_op(sapi_header_op_enum op, void *arg TSRMLS_DC)
 	case SAPI_HEADER_REPLACE:
 	case SAPI_HEADER_ADD: {
 		sapi_header_line *p = arg;
+		
+		if (!p->line || !p->line_len) {
+			return FAILURE;
+		}
 		header_line = p->line;
 		header_line_len = p->line_len;
 		http_response_code = p->response_code;
diff --git a/sapi/cgi/cgi_main.c b/sapi/cgi/cgi_main.c
index 7597bff7a6..a912da7eff 100644
--- a/sapi/cgi/cgi_main.c
+++ b/sapi/cgi/cgi_main.c
@@ -331,21 +331,13 @@ static int sapi_cgi_send_headers(sapi_headers_struct *sapi_headers TSRMLS_DC)
 		PHPWRITE_H(buf, len);
 	}
 
-	if (SG(sapi_headers).send_default_content_type)
-	{
-		char *hd;
-
-		hd = sapi_get_default_content_type(TSRMLS_C);
-		PHPWRITE_H("Content-type: ", sizeof("Content-type: ") - 1);
-		PHPWRITE_H(hd, strlen(hd));
-		PHPWRITE_H("\r\n", 2);
-		efree(hd);
-	}
-
 	h = zend_llist_get_first_ex(&sapi_headers->headers, &pos);
 	while (h) {
-		PHPWRITE_H(h->header, h->header_len);
-		PHPWRITE_H("\r\n", 2);
+		/* prevent CRLFCRLF */
+		if (h->header_len) {
+			PHPWRITE_H(h->header, h->header_len);
+			PHPWRITE_H("\r\n", 2);
+		}
 		h = zend_llist_get_next_ex(&sapi_headers->headers, &pos);
 	}
 	PHPWRITE_H("\r\n", 2);