Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Does mod_php honor HEAD requests properly?

Tags:

http

php

mod-php

The HTTP/1.1 RFC stipulates "The HEAD method is identical to GET except that the server MUST NOT return a message-body in the response." I know Apache honors the RFC but modules don't have to. My question is, does mod_php5 honor this?

The reason I ask is because I just came across an article saying that PHP developers should check this themselves with:

    if (stripos($_SERVER['REQUEST_METHOD'], 'HEAD') !== FALSE) {
        exit();
    }

I googled a second and not much turned up, other than some people saying they try to strange things like mod_rewrite/redirect after getting HEAD requests and some old bug ticket from like 2002 claiming that mod_php still executed the rest of the script by default. So I just ran a quick test by using PECL::HTTP to run

    http_head('http://mysite.com/test-head-request.php');

while having:

    <?php error_log('REST OF SCRIPT STILL RAN'); ?>

in test-head-request.php to see if the rest of the script still executed, and it didn't.

I figure that should be enough to settle it, but want to get more feedback and maybe help clear up confusion for anyone else who has wondered about this. So if anyone knows off the top of their head (no pun intended) - or have any conventions they use for receiving HEAD requests, that'd be great. Otherwise, I'll grep the C source later and respond in a comment with my findings. Thanks.

like image 721
rkulla Avatar asked Apr 08 '10 20:04

rkulla


2 Answers

The HEAD method is identical to GET except that the server MUST NOT return a message-body in the response.

That is why the check should not be performed. Clients should have confidence that HEAD requests process just the same as if a GET was issued (database connection, processing, etc...).

Addendum:

When performing

HEAD /test.php?a=3 HTTP/1.1
Host: somesite.com

PHP will still fill $_GET (and $_REQUEST) with the variables placed in the query string even though it was not a GET request. This allows compliance with the HEAD definition.

like image 159
webbiedave Avatar answered Oct 14 '22 13:10

webbiedave


I just did a quick test with a PHP file, temp.php, which contains this portion of code :

<?php

echo "Hello, World!\n";

die;


Sending an HTTP GET request to that file gets me the content of the page :

$ telnet localhost 80
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /temp/temp.php HTTP/1.1
Host: localhost

HTTP/1.1 200 OK
Date: Thu, 08 Apr 2010 20:17:35 GMT
Server: Apache/2.2.12 (Ubuntu)
X-Powered-By: PHP/5.3.2RC2
Vary: Accept-Encoding
Content-Length: 14
Content-Type: text/html

Hello, World!


While sending an HTTP HEAD request doesn't :

$ telnet localhost 80
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
HEAD /temp/temp.php HTTP/1.1
Host: localhost

HTTP/1.1 200 OK
Date: Thu, 08 Apr 2010 20:17:50 GMT
Server: Apache/2.2.12 (Ubuntu)
X-Powered-By: PHP/5.3.2RC2
Vary: Accept-Encoding
Content-Type: text/html


Not sure this is always true, though...

I remember a situation (some time ago ; was PHP 5.1) in which I've had to test myself, in the PHP code, if I was getting a GET or a HEAD request.



EDIT : After an additionnal test

I just did another test : my temp.php file now contains this :

<?php

file_put_contents('/tmp/a.txt', $_SERVER['REQUEST_METHOD'], FILE_APPEND);
var_dump($_SERVER['REQUEST_METHOD']);

die;

Sending an HTTP HEAD request, I get this :

$ telnet localhost 80
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
HEAD /temp/temp.php HTTP/1.1
Host: localhost

HTTP/1.1 200 OK
Date: Thu, 08 Apr 2010 20:21:30 GMT
Server: Apache/2.2.12 (Ubuntu)
X-Powered-By: PHP/5.3.2RC2
Vary: Accept-Encoding
Content-Type: text/html

Connection closed by foreign host.

Here, no output.

BUT, looking at the /tmp/a.txt file :

$ cat /tmp/a.txt 
HEAD

So : no output sent by the server doesn't mean that there is nothing done ;-)

like image 44
Pascal MARTIN Avatar answered Oct 14 '22 14:10

Pascal MARTIN