Description
Description
When using file_get_contents to post an HTTP/HTTPS request, context->http->header can either be a string or an array of strings. If a string, it may ignore the header containing a Content-Type line and add an additional one.
The following code:
<?php
$header = "Authentication: Bearer XYZ" . PHP_EOL;
$header .= 'Content-Type: application/json' . PHP_EOL;
$httpoptions = [
'method' => 'POST',
'ignore_errors' => true,
'content' => json_encode(["message" => "Hello world"]),
'header' => $header,
];
$context = stream_context_create(['http' => $httpoptions]);
$result = file_get_contents("http://some-test-url/", false, $context);Resulted in this request (captured using netcat):
POST / HTTP/1.1
Host: some-test-url
Connection: close
Content-Length: 25
Authentication: Bearer XYZ
Content-Type: application/json
Content-Type: application/x-www-form-urlencoded
{"message":"Hello world"}
But I expected this output instead:
POST / HTTP/1.1
Host: some-test-url
Connection: close
Content-Length: 25
Authentication: Bearer XYZ
Content-Type: application/json
{"message":"Hello world"}
Commentary:
There is a warning, "file_get_contents(): Content-type not specified assuming application/x-www-form-urlencoded", that is on some occasions issued (although not, oddly enough, for the code we tracked down this issue as applying to.)
The issue goes away if you build context->http->header as an array.
While arguably building the header as a multiline string seems (always seemed) odd to me, it's frequently quoted in examples across the Internet (which is probably how we ended up doing it) - several examples here: https://www.php.net/manual/en/function.stream-context-create.php
I doubt there are any backward compatibility issues that would be caused by a straight fix to this.
PHP Version
PHP 8.1.2
Operating System
Ubuntu 22.04