php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Doc Bug #73975 parse_url does not decode % escaping of username
Submitted: 2017-01-23 02:38 UTC Modified: 2017-09-12 11:00 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:0 of 1 (0.0%)
From: trejkaz at trypticon dot org Assigned: cmb (profile)
Status: Closed Package: URL related
PHP Version: 5.6.30 OS: macOS
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: trejkaz at trypticon dot org
New email:
PHP Version: OS:

 

 [2017-01-23 02:38 UTC] trejkaz at trypticon dot org 
Description:
------------
The userinfo part of a URL can contain %-encoding for characters which otherwise would confuse a URL parser.

Thus if your username or password contains, for instance, a @, you would be entering %40 into the URL instead.

PHP's parse_url function does not perform decode this encoding, but returns the 'user' and 'pass' values with it as it was in the original URL.

Alternatively, if the intent is that this function keeps the encoding in the values, this should be clearly stated in the documentation. It turns out that Drupal is calling this function, seemingly assuming that it is being completely decoded.


Test script:
---------------
<?
var_dump(parse_url('https://user%40name:pass%40word@example.com'));
?>


Expected result:
----------------
array(4) {
  ["scheme"]=>
  string(5) "https"
  ["host"]=>
  string(11) "example.com"
  ["user"]=>
  string(9) "user@name"
  ["pass"]=>
  string(9) "pass@word"
}


Actual result:
--------------
array(4) {
  ["scheme"]=>
  string(5) "https"
  ["host"]=>
  string(11) "example.com"
  ["user"]=>
  string(11) "user%40name"
  ["pass"]=>
  string(11) "pass%40word"
}

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-01-23 11:35 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2017-01-23 11:35 UTC] cmb@php.net 
Confirmed: <https://3v4l.org/W8DWh>.
 [2017-01-23 11:44 UTC] nikic@php.net 
It does not look like any component of the URL is url-decoded by parse_url(). While I personally think that parse_url() *ought* to be doing this, changing it at this point would be counter-productive, as client code would have to conditionally decode the result (rather than always decode it), leading to more brittle code.
 [2017-09-12 10:49 UTC] cmb@php.net
-Type: Bug +Type: Documentation Problem -Assigned To: +Assigned To: cmb
 [2017-09-12 10:49 UTC] cmb@php.net 
> It does not look like any component of the URL is url-decoded by
> parse_url().

Indeed.  Changing to doc bug.
 [2017-09-12 10:58 UTC] cmb@php.net 
Automatic comment from SVN on behalf of cmb
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=343075
Log: Fixed bug #73975 (parse_url does not decode % escaping of username)
 [2017-09-12 11:00 UTC] cmb@php.net
-Status: Verified +Status: Closed
 [2017-09-12 11:00 UTC] cmb@php.net 
This bug has been fixed in the documentation's XML sources. Since the
online and downloadable versions of the documentation need some time
to get updated, we would like to ask you to be a bit patient.

Thank you for the report, and for helping us make our documentation better.
 [2020-02-07 06:06 UTC] phpdocbot@php.net 
Automatic comment on behalf of cmb
Revision: http://git.php.net/?p=doc/en.git;a=commit;h=3dee3a504f5c9c31cc9448f734b99a15c317fcb7
Log: Fixed bug #73975 (parse_url does not decode % escaping of username)
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Tue Oct 28 01:00:01 2025 UTC