1

I am running Apache2 and PHP 5 on Linux, and I'm getting some strange behavior with the php://input stream.

For some GET requests the stream is not empty like it should be. Instead, the php://input stream contains the entire GET request. I have worked around the issue but I would like to know if I should file a bug about this, or if it is "desired but undocumented" behavior.

Details

Early in the request processing, I call:

$in = file_get_contents('php://input');
if ( !empty($in) )
    $post_data = json_decode($in);

if ( !empty($in) && is_null($post_data) ) {
    // output some error info and exit
}

Usually when a request does not have a body then $in is empty and all is right with the world. But sometimes a GET request will have a body, and that body will be the entire request. Of course you can't json-decode that data, and the error condition gets hit.

This only happens with some requests. For example, this request does not exhibit the error:

GET /os/invitations/kkkkkk HTTP/1.1
Host: our.machine.com
Content-Type: application/json
Authorization: Basic aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa==

But this request, which is routed through some proxies and VPNs, does trigger the error.

GET http://some.proxy.at.some.big.company.com:7080/cvp-out/cmmproxy/os/invitations/d66065566dba541c8ba6a70329684645 HTTP/1.1
Content-Type: application/json
Authorization: Basic aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa==
Clientid: abc
User-Agent: Java/1.6.0
Host: some.proxy.at.some.big.company.com:7080
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
X-Remote-Addr: 53.231.244.171
X-Remote-Host: 53.231.244.171
X-Server-Name: some.proxy.at.some.big.company.com
X-Server-Port: 7080
X-Scheme: http

I spent hours treating this like a routing/dispatch problem, but it turned out to be our code. The fix was, of course, to only read from the input stream when you are expecting data:

if ( in_array( $_SERVER['REQUEST_METHOD'], array('PUT', 'POST') )) {
    $in = file_get_contents('php://input');
    if ( !empty($in) )
        $post_data = json_decode($in);
}

Is this a known issue? Does it happen unpredictably? Should I file a bug?

slashingweapon
  • 11,007
  • 4
  • 31
  • 50

1 Answers1

1

As far as i know, that's not an error. We understand that a GET request shouldnt have a body, but in the docs of php:// they say nothing about wich types of requests will generate an input, so it could be any method. And for sure it is not limited to POST, since the mention at least PUT and PROPFIND.

So at any rate, your solution is a must.

Carlos Robles
  • 10,828
  • 3
  • 41
  • 60