用下划线标题名称忽略在PHP 5.5.1 / 2.4.6阿帕奇 [英] Header names with underscores ignored in php 5.5.1 / apache 2.4.6

问题描述

升级到PHP 5.5.1和Apache 2.4.6后，检查某些头，现在坏了（确切地说，检查 HTTP_X_REQUESTED_WITH ）。

After upgrading to php 5.5.1 and apache 2.4.6, checking for certain headers is now broken (specifically, checking for HTTP_X_REQUESTED_WITH).

通过进一步测试我注意到，包含下划线的任何自定义标题被忽略（我的意思是它不能在PHP的 $ _ SERVER 阵列显示）。所以，如果我添加一个名为标题我的头，其可用为 $ _ SERVER ['HTTP_MY_HEADER'] ，但如果我尝试添加标题 my_header ，它不具备的 $ _ SERVER 。

Through further testing I noticed that any custom header that contains an underscore is ignored (by this I mean it does not show up in PHP's $_SERVER array). So if I add a header named my-header, it becomes available as $_SERVER['HTTP_MY_HEADER'], but if I try adding a header my_header, it's not available in $_SERVER.

推荐答案

这是在Apache的2.4记录功能。见<一href=\"http://httpd.apache.org/docs/trunk/new_features_2_4.html\">httpd.apache.org/docs/trunk/new_features_2_4.html

This is a documented feature in apache 2.4. See httpd.apache.org/docs/trunk/new_features_2_4.html

环境变量头的翻译比更加严格
  之前，通过减少一些可能的跨站点脚本攻击
  头注入。包含无效字符头文件（包括
  下划线）现在丢弃。

Translation of headers to environment variables is more strict than before to mitigate some possible cross-site-scripting attacks via header injection. Headers containing invalid characters (including underscores) are now silently dropped.

这篇关于用下划线标题名称忽略在PHP 5.5.1 / 2.4.6阿帕奇的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！