PHP :: Request #51642 :: FILTER_VALIDATE_URL should fail if an invalid IP address is used

FILTER_VALIDATE_URL should fail if an invalid IP address is used

Submitted:

2010-04-23 09:48 UTC

Modified:

2012-02-15 04:04 UTC

Votes:	122
Avg. Score:	3.0 ± 0.3
Reproduced:	4 of 24 (16.7%)
Same Version:	65538 (1638450.0%)
Same OS:	65538 (1638450.0%)

From:

graham at grahamweldon dot com

Assigned:

Status:

Open

Package:

Filter related

PHP Version:

5.2.13

OS:

OSX 10.5.3

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	graham at grahamweldon dot com
New email:
PHP Version:		OS:

New Comment:

[2010-04-23 09:48 UTC] graham at grahamweldon dot com

Description:
------------
Tested using PHP 5.2.13 and PHP 5.3.1
Supply of an invalid IP address as the host part of a URL passes the filter_var 
validation.

I propose that validation should fail if an invalid IP address is provided in URL 
validation.

Test script:
---------------
var_dump(filter_var('http://999.123.999.123', FILTER_VALIDATE_URL));


Expected result:
----------------
bool(false)

Actual result:
--------------
string(22) "http://999.123.999.123"

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2010-04-26 03:08 UTC] graham at grahamweldon dot com

-Operating System: OSX 10.5.6 +Operating System: OSX 10.5.3

[2010-04-26 03:08 UTC] graham at grahamweldon dot com

Fixed OSX Veron number in report.

[2012-02-14 22:22 UTC] hairmare at purplehaze dot ch

FILTER_VALIDATE_URL implements RFC2396 (which does not even mention ip 
validation). Have you considered ANDing FILTER_VALIDATE_URL with 
FILTER_VALIDATE_IP like so:

<?php
$url = 'http://999.123.999.123';
var_dump(
    filter_var($url, FILTER_VALIDATE_URL) && 
    filter_var(parse_url($url, PHP_URL_HOST), FILTER_VALIDATE_IP)
);

[2012-02-15 00:07 UTC] rasmus@php.net

-Type: Feature/Change Request +Type: Documentation Problem

[2012-02-15 00:07 UTC] rasmus@php.net

This is more of a documentation issue than an actual feature request.

[2012-02-15 01:26 UTC] graham at grahamweldon dot com

I think it becomes a documentation issue, if the request to add IP validation as 
part of the FILTER_VALIDATE_URL is declined.

[2012-02-15 04:04 UTC] rasmus@php.net

-Type: Documentation Problem +Type: Feature/Change Request

[2012-02-15 04:04 UTC] rasmus@php.net

I'll put it back to a feature request. I do agree it would be useful to have an 
RFC3986 validator. This code was written prior to that RFC. RFC2396 doesn't 
specify validating the dotted-decimal IPv4 syntax, but RFC3986 does along with 
introducing IPv6-support, of course.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Wed Dec 04 18:01:31 2024 UTC