All geek questions in one place

What is php $ _SERVER ['REDIRECT_STATUS']?

With php, I can see the "REDIRECT_STATUS" index in the $ _SERVER array, but php.net does not mention it. I have a user error page that returns 404, but "REDIRECT_STATUS" is still 200. So what is the status code related to?

+6
source share
2 answers

php-src code offers a link, namely

<p>For more information as to <i>why</i> this behaviour exists, see the <a href=\"http://php.net/security.cgi-bin\">\ manual page for CGI security</a>.</p>\n\

to read about CGI security. With the variable REDIRECT_STATUS , this is not an HTTP header, but a variable passed from the web server to the CGI program, in this case the php-cgi or php-fpm process - you tell php-cgi or php-fpm that the request is processed by the web server controlled in a way, and not in any other way, by direct access to these CGI scripts.

Historically, you set up a web server to handle CGI binaries in a special directory — something like $DOCROOT/cgi-bin — and you made all CGI scripts available through some URL http://SERVERNAME/cgi-bin/ .

Now, if you call the CGI program for PHP through this (direct) URL http://SERVERNAME/cgi-bin/php-cgi/PATH_TO_PHP_SCRIPT , the http://SERVERNAME/cgi-bin/php-cgi/PATH_TO_PHP_SCRIPT behavior of php-cgi is to process the document /PATH_TO_PHP_SCRIPT and therefore can bypass the control access to web servers. The document /PATH_TO_PHP_SCRIPT will be processed, although the server may deny / PATH _TO_PHP_SCRIPT since the request has already left the web server and entered the PHP process. Using php, such a server will leak information, and you will need another level of access control for all PHP scripts.

To stop this behavior, you can configure the PHP-CGI program only to process requests that set the REDIRECT_STATUS header, which is not possible for an external client, to set in a direct request. Only the web server - in the middle between the client and php - can set this header, and the web server offers HTTP status - for example, 200, 404, 403 or whatever you like - and allows PHP to handle this status. But even the pure existence of this header tells the PHP process that the request was processed in the usual way by the web server.

Opinion: the best way to protect against such use would be to configure the web server to prohibit direct calls to PHP CGI through the default path / cgi-bin / path.

+3
source

I have never used this HTTP header before, but what I can understand about the hosted @ Darren URL is that you can specify all your errors (those errors that lead to the HTTP 4xx or 5xx header), to only one php file . And in this php file you can find out what specific error occurs when accessing this HTTP REDIRECT_STATUS header.

+1
source

Source: https://habr.com/ru/post/971266/

More articles:


All Articles