Fix for #23902 by Shane.

Removed bogus recommendation from php.ini files.

# Basic authentication is actually possible
# usign IIS + PHP cgi countrary to our current docs

main/SAPI.c

@@ -456,6 +456,12 @@ static int sapi_extract_response_code(const char *header_line)
 
 static void sapi_update_response_code(int ncode TSRMLS_DC)
 {
+	/* if the status code did not change, we do not want
+	   to change the status line, and no need to change the code */
+	if (SG(sapi_headers).http_response_code == ncode) {
+		return;
+	}
+
 	if (SG(sapi_headers).http_status_line) {
 		efree(SG(sapi_headers).http_status_line);
 		SG(sapi_headers).http_status_line = NULL;

php.ini-dist

@@ -462,7 +462,7 @@ enable_dl = On
 ; use when sending HTTP response code. If it's set 0 PHP sends Status: header that
 ; is supported by Apache. When this option is set to 1 PHP will send
 ; RFC2616 compliant header.
-; Set to 1 if running under IIS.  Default is zero.
+; Default is zero.
 ;cgi.rfc2616_headers = 0 
  
 

php.ini-recommended

@@ -477,7 +477,7 @@ enable_dl = On
 ; use when sending HTTP response code. If it's set 0 PHP sends Status: header that
 ; is supported by Apache. When this option is set to 1 PHP will send
 ; RFC2616 compliant header.
-; Set to 1 if running under IIS.  Default is zero.
+; Default is zero.
 ;cgi.rfc2616_headers = 0 
 
 

sapi/cgi/cgi_main.c

@@ -303,7 +303,7 @@ static int sapi_cgi_send_headers(sapi_headers_struct *sapi_headers TSRMLS_DC)
 	if (SG(sapi_headers).http_response_code != 200) {
 		int len;
 
-		if (rfc2616_headers) {
+		if (rfc2616_headers && SG(sapi_headers).http_status_line) {
 			len = snprintf(buf, SAPI_CGI_MAX_HEADER_LENGTH,
 						   "%s\r\n", SG(sapi_headers).http_status_line);