PHP :: Request #64582 :: file_get_contents() handles redirects wrong

file_get_contents() handles redirects wrong

Submitted:

2013-04-04 14:55 UTC

Modified:

2021-10-04 17:04 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

spam2 at rhsoft dot net

Assigned:

Status:

Open

Package:

Streams related

PHP Version:

5.4.13

OS:

Linux

Private report:

CVE-ID:

None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	spam2 at rhsoft dot net
New email:
PHP Version:		OS:

New/Additional Comment:

[2013-04-04 14:55 UTC] spam2 at rhsoft dot net

Description:
------------
[line "182"] [id "950103"] [msg "path traversal attack"] [data "../"] [hostname "test.test.rh"] [uri "/contentlounge/updateservice/cms_demo/cms//../cms.php"] [unique_id "UV2MrQoAAGMAAE356XkAAAAF"]


in the folder /cms is a simple index.php with header('Location: ../cms.php');
every normal browser translates path and does not trigger modsec
php triggers the "path traversal"-rule


Expected result:
----------------
call the URL /contentlounge/updateservice/cms_demo/cms/cms.php

Actual result:
--------------
calling the URL /contentlounge/updateservice/cms_demo/cms//../cms.php

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2013-04-04 15:53 UTC] johannes@php.net

RFC 2616 Section 14.30 requires "a single absolute URI." for the location header. Any relative location is not standards compliant.

[2013-04-04 15:57 UTC] spam2 at rhsoft dot net

i know that, but it is not that easy to generate everytime a full qualified URL and since any other http-client translates the ../ PHP should act the same way

[2015-04-17 23:58 UTC] cmb@php.net

-Package: Scripting Engine problem +Package: Streams related

[2015-04-17 23:58 UTC] cmb@php.net

RFC 7231 which obsoletes RFC 2616 allows relative references[1],
though. It seems to me that the http:// stream wrappers should
comply.

[1] <http://tools.ietf.org/html/rfc7231#section-7.1.2>

[2021-10-04 17:04 UTC] cmb@php.net

-Type: Bug +Type: Feature/Change Request

[2021-10-04 17:04 UTC] cmb@php.net

Still, not a bug, but rather a feature request.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Oct 28 05:00:01 2025 UTC