- sapi_header_op(SAPI_HEADER_(REPLACE|ADD), {NULL, 0, 0}) caused HTTP response splitting

- sapi_send_headers() already takes care of default_content_type (left over of fix for bug #29983)

2 files changed, 9 insertions, 13 deletions

diff --git a/main/SAPI.c b/main/SAPI.c
index 94e924c626..480932fd8a 100644
--- a/main/SAPI.c
+++ b/main/SAPI.c
@@ -545,6 +545,10 @@ SAPI_API int sapi_header_op(sapi_header_op_enum op, void *arg TSRMLS_DC)
 	case SAPI_HEADER_REPLACE:
 	case SAPI_HEADER_ADD: {
 		sapi_header_line *p = arg;
+		
+		if (!p->line || !p->line_len) {
+			return FAILURE;
+		}
 		header_line = p->line;
 		header_line_len = p->line_len;
 		http_response_code = p->response_code;
diff --git a/sapi/cgi/cgi_main.c b/sapi/cgi/cgi_main.c
index 7597bff7a6..a912da7eff 100644
--- a/sapi/cgi/cgi_main.c
+++ b/sapi/cgi/cgi_main.c
@@ -331,21 +331,13 @@ static int sapi_cgi_send_headers(sapi_headers_struct *sapi_headers TSRMLS_DC)
 		PHPWRITE_H(buf, len);
 	}
 
-	if (SG(sapi_headers).send_default_content_type)
-	{
-		char *hd;
-
-		hd = sapi_get_default_content_type(TSRMLS_C);
-		PHPWRITE_H("Content-type: ", sizeof("Content-type: ") - 1);
-		PHPWRITE_H(hd, strlen(hd));
-		PHPWRITE_H("\r\n", 2);
-		efree(hd);
-	}
-
 	h = zend_llist_get_first_ex(&sapi_headers->headers, &pos);
 	while (h) {
-		PHPWRITE_H(h->header, h->header_len);
-		PHPWRITE_H("\r\n", 2);
+		/* prevent CRLFCRLF */
+		if (h->header_len) {
+			PHPWRITE_H(h->header, h->header_len);
+			PHPWRITE_H("\r\n", 2);
+		}
 		h = zend_llist_get_next_ex(&sapi_headers->headers, &pos);
 	}
 	PHPWRITE_H("\r\n", 2);