16

After upgrading to php 5.5.1 and apache 2.4.6, checking for certain headers is now broken (specifically, checking for HTTP_X_REQUESTED_WITH).

Through further testing I noticed that any custom header that contains an underscore is ignored (by this I mean it does not show up in PHP's $_SERVER array). So if I add a header named my-header, it becomes available as $_SERVER['HTTP_MY_HEADER'], but if I try adding a header my_header, it's not available in $_SERVER.

4

1 回答 1

25

这是 apache 2.4 中记录的功能。见httpd.apache.org/docs/trunk/new_features_2_4.html

将标头转换为环境变量比以前更严格,以通过标头注入减轻一些可能的跨站点脚本攻击。包含无效字符(包括下划线)的标题现在被静默删除。

于 2013-08-13T09:13:04.987 回答