« Previous Next »

• 06-03-2009, 3:48 AM

  peaceable_whale Joined on 11-30-2006, 9:10 AM Hong Kong Posts 83	FastCGI Response Header Validation Reply Contact The FastCGI Module of IIS 7.5 has also removed the Response Header Validation. My concern and suggestion at http://forums.iis.net/t/1157034.aspx is therefore valid for the FastCGI Module of IIS 7.5 as well. Any comment? Franklin Tse (whale)
  	Tags: IIS 7.5

• 06-03-2009, 1:14 PM

  In reply to

  ksingla Joined on 06-14-2006, 3:02 AM Redmond, WA Posts 863

  Re: FastCGI Response Header Validation Reply Contact Hi Franklin, We had very basic validation for response headers in FastCgi module. Because many PHP developers complained about it, we decided to change behavior in IIS FastCGI to match Apache behavior and drop invalid response headers silently. Invalid response headers from FastCGI module perspective were headers which didn't have a colon in it. Your idea of having a configurable property is good but I don't really see much use of that. Property will only make sense to developers and not to IT administrators and developers should not rely on FastCGI functionality to validate format of response headers especially when we really had minimal validation in the module. Does this make sense? Thanks, Kanwal Follow me on twitter at http://twitter.com/kjsingla

• 06-03-2009, 2:02 PM

  In reply to

  peaceable_whale Joined on 11-30-2006, 9:10 AM Hong Kong Posts 83

  Re: FastCGI Response Header Validation Reply Contact Hi Kanwal, I believe that such validation is enough. According to the PHP Manual, the header function is to send a raw HTTP header; and according to section 4.2 of RFC 2616, "Each header field consists of a name followed by a colon (":") and the field value". These documents support that checking the colon is already enough. and there is no reason for using the PHP header function to send an invalid response header. The main disadvantage of dropping invalid response headers silently is that the developer may not be able to notice the problem as soon as possible. For example, he wants to send "Content-Type: text/plain; charset=UTF-8" but he has typed "text/plain; charset=UTF-8" only. With the validation, he can quickly spot the error and fix it. The example does look silly, but this can happen in the real world, especially when the developer is tired (I experienced this problem as well). Dropping invalid response headers silently is dangerous. While developers should not rely on the FastCGI functionality to validate the headers, warnings and error messages from compilers and runtime processors are important for them to notice if there is any mistake in their code. Franklin Tse (whale)