Fix for bug #32263

This adds proto_num to request_info.  It is defaulted to HTTP 1.0 (1000)
such that it has a valid value even if the underlying sapi doesn't set it
correctly.  It is then used to determine if a 302 or a 303 should be sent
on a Location redirect.  Any non GET/HEAD HTTP 1.1 redirect will get a 303
instead of a 302 to be compatible with the HTTP spec.

1 files changed, 9 insertions, 1 deletions

diff --git a/main/SAPI.c b/main/SAPI.c
index c0c95ae95e..5ff76c35b2 100644
--- a/main/SAPI.c
+++ b/main/SAPI.c
@@ -346,6 +346,7 @@ SAPI_API void sapi_activate(TSRMLS_D)
 	SG(request_info).current_user_length = 0;
 	SG(request_info).no_headers = 0;
 	SG(request_info).post_entry = NULL;
+	SG(request_info).proto_num = 1000; /* Default to HTTP 1.0 */
 	SG(global_request_time) = 0;
 
 	/* It's possible to override this general case in the activate() callback, if
@@ -608,7 +609,14 @@ SAPI_API int sapi_header_op(sapi_header_op_enum op, void *arg TSRMLS_DC)
 					SG(sapi_headers).http_response_code > 307) &&
 					SG(sapi_headers).http_response_code != 201) {
 					/* Return a Found Redirect if one is not already specified */
-					sapi_update_response_code(302 TSRMLS_CC);
+					if(SG(request_info).proto_num > 1000 && 
+					   SG(request_info).request_method && 
+					   strcmp(SG(request_info).request_method, "HEAD") &&
+					   strcmp(SG(request_info).request_method, "GET")) {
+						sapi_update_response_code(303 TSRMLS_CC);
+					} else {
+						sapi_update_response_code(302 TSRMLS_CC);
+					}
 				}
 			} else if (!STRCASECMP(header_line, "WWW-Authenticate")) { /* HTTP Authentication */