After upgrading to php 5.5.1 and apache 2.4.6, checking for certain headers is now broken (specifically, checking for HTTP_X_REQUESTED_WITH
).
Through further testing I noticed that any custom header that contains an underscore is ignored (by this I mean it does not show up in PHP's $_SERVER
array). So if I add a header named my-header
, it becomes available as $_SERVER['HTTP_MY_HEADER']
, but if I try adding a header my_header
, it's not available in $_SERVER
.
This is a documented feature in apache 2.4. See httpd.apache.org/docs/trunk/new_features_2_4.html
Translation of headers to environment variables is more strict than before to mitigate some possible cross-site-scripting attacks via header injection. Headers containing invalid characters (including underscores) are now silently dropped.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With