PHP :: Bug #65141 :: filter_var() validates URL with two http:// as valid

Bug #65141

filter_var() validates URL with two http:// as valid

Submitted:

2013-06-27 03:39 UTC

Modified:

2013-07-02 08:21 UTC

Votes:	2
Avg. Score:	3.0 ± 0.0
Reproduced:	2 of 2 (100.0%)
Same Version:	1 (50.0%)
Same OS:	2 (100.0%)

From:

demtheman at yahoo dot com

Assigned:

Status:

Not a bug

Package:

URL related

PHP Version:

5.3.26

OS:

Windows 7 64-bit

Private report:

CVE-ID:

None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	demtheman at yahoo dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2013-06-27 03:39 UTC] demtheman at yahoo dot com

Description:
------------
I used filter_var() to validate the URL http://http://www.google.com (as test 
URL), however it seems to see it as valid which in fact is wrong. Refer to my SO 
question http://stackoverflow.com/questions/17333612/filter-var-accepts-invalid-
url

Test script:
---------------
$website = "http://http://www.google.com";

echo filter_var($website, FILTER_VALIDATE_URL);

Expected result:
----------------
The filter_var() should return FALSE.

Actual result:
--------------
The filter_var() returns the filtered data.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2013-06-27 20:56 UTC] cmbecker69 at gmx dot de

According to RFC 2396 Appendix A the example URI doesn't seem to be valid, 
even if it passes the regular expression given in Appendix B.

However, filter_var($var, FILTER_VALIDATE_URL) is based on parse_url().
parse_url('http://http://example.com') evaluates to:
Array
(
    [scheme] => http
    [host] => http
    [path] => //example.com
)
This is apparently wrong in this case according to RFC 2396; neither an abs_path 
nor a rel_path must start with a double slash.

[2013-06-28 21:02 UTC] cmbecker69 at gmx dot de

As Thomas Lahn pointed out in comp.lang.php
(<7348494.GbytuHRu9D@PointedEars.de>)
the mentioned URI (there was used a slightly different URI, 
but that doesn't matter in this case, as the productions can be adapted)
is actually valid according to RFC 2396.

[2013-07-02 08:21 UTC] ab@php.net

-Status: Open +Status: Not a bug

[2013-07-02 08:21 UTC] ab@php.net

Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

Here's the RFC http://www.ietf.org/rfc/rfc2396.txt

Quick BNF evaluation

absoluteURI
	scheme http
	:
	hier_part
		net_path
			//
			authority
				server
					hostport http:

			abs_path
				/
				segment
				segment /www.google.com

That's pretty matchin with the RFC.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Apr 19 11:01:27 2025 UTC