I discovered a bug in Drupal's HTTP request (drupal_http_request); overriding the $data variable on redirect.

<?php
 
// This will redirect to "http://drupal.org/"
 
drupal_http_request('http://www.drupal.org/', array('Content-Type' => 'application/x-www-form-urlencoded'), 'POST', 'key=value');
?>

The first request/response looks as follows

POST / HTTP/1.0
Host: www.drupal.org
User-Agent: Example (+http://www.example.com/)
Content-Length: 9
Content-Type: application/x-www-form-urlencoded
\r\n
key=value
HTTP/1.1 301 Moved Permanently
Date: Thu, 23 Feb 2006 11:30:13 GMT
Server: Apache
Location: http://drupal.org/
Content-Length: 290
Connection: close
Content-Type: text/html; charset=iso-8859-1

Now Drupal will try to follow the redirect to http://drupal.org/ but $data gets overwritten here

<?php
 
// well... as soon as i post these lines (line 367-372 from common.inc)
  // I get a "Request terminated because of suspicious input data".
?>

and so the next request will look as follows

POST / HTTP/1.0
Host: drupal.org
User-Agent: Example (+http://www.example.com/)
Content-Length: 492
\r\n
HTTP/1.1 301 Moved Permanently
Date: Thu, 23 Feb 2006 11:30:13 GMT
Server: Apache
Location: http://drupal.org/
Content-Length: 290
Connection: close
Content-Type: text/html; charset=iso-8859-1
\r\n
HERE THE HTML RESULT OF FIRST REQUEST
Files: 

Comments

ebruts’s picture

Status:Active» Needs review

I think I set the wrong status.

ebruts’s picture

Title:HTTP request overrides data on redirect» HTTP request overrides headers and data on redirect
StatusFileSize
new1.41 KB

My patch was a bit hasty.

It also overrides the headers as you can see by comparing the first and second request.

POST / HTTP/1.0
Host: www.drupal.org
User-Agent: Example (+http://www.example.com/)
Content-Length: 9
Content-Type: application/x-www-form-urlencoded
\r\n
key=value
POST / HTTP/1.0
Host: drupal.org
User-Agent: Example (+http://www.example.com/)
Content-Length: 492
\r\n
HTTP/1.1 301 Moved Permanently
Date: Thu, 23 Feb 2006 11:30:13 GMT
Server: Apache
Location: http://drupal.org/
Content-Length: 290
Connection: close
Content-Type: text/html; charset=iso-8859-1
\r\n
HERE THE HTML RESULT OF FIRST REQUEST
Dries’s picture

Thanks for the patch. Looking at it, I can't figure out what you changed. I can see some variable names being changed, but other than that? I'm sure I'm missing something. Care to elaborate? Thanks.

ebruts’s picture

StatusFileSize
new1.69 KB

Yes only the variablenames changed.
I tried to make it more clear but got that "Request terminated because of suspicious input data" everytime I tried to post some PHP code.

I still have the problem so I will attach my post as a text file.

Crell’s picture

To post PHP code in a comment, surrounded it with the "PHP Element" delimiters:

<?php
// Your code here
?>
Dries’s picture

Status:Needs review» Fixed

Got it now! Makes sense so I committed it to HEAD. Thanks.

Anonymous’s picture

Status:Fixed» Closed (fixed)
zilla’s picture

Version:x.y.z» 6.0

thanks - i'm having this issue right now as well - but i know very little about patching - could you please explain at a grade school level which file i need to go to and how i patch or if i can just cut and paste code from the patch? would be VERY helpful...

could i simply browse cvs.drupal.org and grab the most recent common.inc file
at:
http://cvs.drupal.org/viewvc.py/drupal/drupal/includes/common.inc?view=log

and then simply upload and overwrite the existing file?

Lucict’s picture

Version:6.0» 6.2

I am running version 6.2 on a private server with Apache 2.0 and PHP5 and am currently experiencing this issue. Looking at my common.inc file, I can see that the patch posted here has already been integrated, so my thought is that I may have an issue with the configuration of my server.

Are there any known Apache 2 or PHP5 settings that may be causing this error?

Or would it be possible that my firewall is blocking a port that needs to be open?

I found some good information on patching here: http://drupal.org/node/30466 In the comments and responses there are some commands and options to try.

lameei’s picture

+1

lameei’s picture

What to do for 6.8? please help. I couldn't find anything for this version.

sobi3ch’s picture

Same problem on internat sever but I never have this with d5 on same machine, this is not first installation.

alienzed’s picture

so, was this ever fixed?