codeigniter4 · michalsn · Mar 19, 2026 · Mar 18, 2026 · Mar 18, 2026 · Mar 19, 2026
diff --git a/system/HTTP/CURLRequest.php b/system/HTTP/CURLRequest.php
@@ -504,14 +504,14 @@ protected function setResponseHeaders(array $headers = [])
                     $this->response->setHeader($title, $value);
                 }
             } elseif (str_starts_with($header, 'HTTP')) {
-                preg_match('#^HTTP\/([12](?:\.[01])?) (\d+) (.+)#', $header, $matches);
+                preg_match('#^HTTP\/([12](?:\.[01])?) (\d+)(?: (.+))?#', $header, $matches);
 
                 if (isset($matches[1])) {
                     $this->response->setProtocolVersion($matches[1]);
                 }
 
                 if (isset($matches[2])) {
-                    $this->response->setStatusCode((int) $matches[2], $matches[3] ?? null);
+                    $this->response->setStatusCode((int) $matches[2], $matches[3] ?? '');
                 }
             }
         }

diff --git a/tests/system/Cookie/CookieTest.php b/tests/system/Cookie/CookieTest.php
@@ -301,7 +301,7 @@ public function testArrayAccessOfCookie(): void
         $this->assertSame($cookie['path'], $cookie->getPath());
 
         $this->expectException('InvalidArgumentException');
-        $cookie['expiry']; // @phpstan-ignore expr.resultUnused
+        $cookie['expiry'];
     }
 
     public function testCannotSetPropertyViaArrayAccess(): void

diff --git a/tests/system/HTTP/CURLRequestTest.php b/tests/system/HTTP/CURLRequestTest.php
@@ -1041,6 +1041,23 @@ public function testResponseHeadersShortProtocol(): void
         $this->assertSame(235, $response->getStatusCode());
     }
 
+    public function testResponseHeadersWithoutReasonPhrase(): void
+    {
+        // HTTP/2 does not include a reason phrase per RFC 7540.
+        // curl synthesizes the status line as "HTTP/2 200" with no trailing reason.
+        $request = $this->getRequest([
+            'baseURI' => 'http://www.foo.com/api/v1/',
+            'delay'   => 100,
+        ]);
+
+        $request->setOutput("HTTP/2 200\x0d\x0aContent-Type: text/html\x0d\x0a\x0d\x0aHi there");
+        $response = $request->get('bogus');
+
+        $this->assertSame('2.0', $response->getProtocolVersion());
+        $this->assertSame(200, $response->getStatusCode());
+        $this->assertSame('OK', $response->getReasonPhrase());
+    }
+
     public function testPostFormEncoded(): void
     {
         $params = [

diff --git a/user_guide_src/source/changelogs/v4.7.1.rst b/user_guide_src/source/changelogs/v4.7.1.rst
@@ -48,6 +48,7 @@ Deprecations
 Bugs Fixed
 **********
 
+- **CURLRequest:** Fixed a bug where HTTP/2 responses without a reason phrase (e.g., ``HTTP/2 200``) were not parsed correctly, causing the status code and protocol version to be ignored.
 - **ContentSecurityPolicy:** Fixed a bug where custom CSP tags were not removed from generated HTML when CSP was disabled. The method now ensures that all custom CSP tags are removed from the generated HTML.
 - **ContentSecurityPolicy:** Fixed a bug where ``generateNonces()`` produces corrupted JSON responses by replacing CSP nonce placeholders with unescaped double quotes. The method now automatically JSON-escapes nonce attributes when the response Content-Type is JSON.
 - **ContentSecurityPolicy:** Fixed a bug where nonces generated by ``getScriptNonce()`` and ``getStyleNonce()`` were not added to the ``script-src-elem`` and ``style-src-elem`` directives, causing nonces to be silently ignored by browsers when those directives were present.