|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2005-07-21 14:38 UTC] phpbugs at pureftpd dot org
Description: ------------ simplexml_load_file() decodes the argument that is supposed to be a file name. It can be a security flaw. I was able to bypass the Overture adult filter of the search engine of a http://skyblog.com by abusing this. Reproduce code: --------------- simplexml_load_file('http://example.com/a=' . urlencode('b&c')); It loads http://example.com/a=b&c (which means that the value of 'a' is 'b' not 'b&c' as intended by the urlencode() call). simplexml_load_file(rawurlencode('http://example.com/a=' . urlencode('b&c'))); Does the expected behavior and fetches the correct URL. Expected result: ---------------- Either fix the documentation (the argument is not a file name, but a rawurlencoded one), or the function to behave like fopen (), file_get_contents() and other similar functions. Actual result: -------------- URLs are decoded. PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sat Jul 05 17:01:34 2025 UTC |
This bug has been fixed in the documentation's XML sources. Since the online and downloadable versions of the documentation need some time to get updated, we would like to ask you to be a bit patient. Thank you for the report, and for helping us make our documentation better. "Libxml 2 unescapes the URI, so if you want to pass e.g. b&c as the URI parameter a, you have to call simplexml_load_file(rawurlencode('http://example.com/?a=' . urlencode('b&c')))."