php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #43008 php://filter uris ignore url encoded filternames and can't handle slashes
Submitted: 2007-10-17 17:04 UTC Modified: 2008-08-02 06:38 UTC
Votes:2
Avg. Score:4.5 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (50.0%)
From: php at benjaminschulz dot com Assigned: hholzgra (profile)
Status: Closed Package: Streams related
PHP Version: 5.3CVS-2007-10-17 (CVS) OS: linux
Private report: No CVE-ID: None
 [2007-10-17 17:04 UTC] php at benjaminschulz dot com
Description:
------------
because filternames can contain slashes (convert.iconv.from-enc/to-enc) it should be possible to pass URL-encodet filternames to php://filter

Reproduce code:
---------------
<?php
$str = 'php://filter/read=convert.iconv.ISO-8859-15%2FUTF-8/resource=data://text/plain,foobar';
                                             ^ url encoded slash

Expected result:
----------------
string(6) "foobar"


Actual result:
--------------
Warning:  file_get_contents(): unable to create or locate filter "convert.iconv.ISO-8859-15%2FUTF-8" in /var/www/foo/a.php on line 34
Warning:  file_get_contents(): Unable to create filter (convert.iconv.ISO-8859-15%2FUTF-8) in /var/www/foo/a.php on line 34

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-03-10 14:55 UTC] php at benjaminschulz dot com
If the filtername is not URL encoded than i get this:
Warning: readfile(): unable to create or locate filter "convert.iconv.ISO-8859-15" in ...
Warning: readfile(): Unable to create filter (convert.iconv.ISO-8859-15) in ...
Warning: readfile(): unable to locate filter "UTF-8" in ...
Warning: readfile(): Unable to create filter (UTF-8) in ...
 [2008-03-17 20:53 UTC] jani@php.net
And this should work because..? (IMO, it's expected, you pass invalid data -> you get an error..simple.)
 [2008-03-17 23:42 UTC] php at benjaminschulz dot com
This should work because otherwise there is no way to pass valid and existing filternames as URIs to PHP.
(This bug is approved by hartmut btw.)
 [2008-07-11 09:16 UTC] arnaud dot lb at gmail dot com
A possible fix would be to urldecode() filter names in the php:// wrapper before passing them to the filter API:

http://arnaud.lb.s3.amazonaws.com/url_encoded_filter-43008.patch
 [2008-07-11 19:37 UTC] php at benjaminschulz dot com
The patch works perfectly for me.
 [2008-08-02 06:38 UTC] lbarnaud@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Dec 30 14:01:28 2024 UTC