PHP :: Bug #74875 :: FILTER_VALIDATE_URL has bug with "/" in query string

Bug #74875	FILTER_VALIDATE_URL has bug with "/" in query string
Submitted:	2017-07-07 12:32 UTC	Modified:	2017-07-07 12:55 UTC
From:	benedikt at piwnica dot de	Assigned:
Status:	Duplicate	Package:	Filter related
PHP Version:	7.0.21	OS:
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	benedikt at piwnica dot de
New email:
PHP Version:		OS:

New Comment:

[2017-07-07 12:32 UTC] benedikt at piwnica dot de

Description:
------------
Hey there,
I wrote a validation script using filter_var($url, FILTER_VALIDATE_URL) and some tests for the script.
Now I've discovered a mistake while validating an url with a slash in the query string.
Is there a pathname like in https://test.com/?q=123/456 or https://test.com/x/y/z?q=123/456 the url is valid. 
Is there no pathname like in https://test.com?q=123/456 the url is not valid.
Could it be, that there is a bug in the regex?



Test script:
---------------
<?php
var_dump(filter_var("https://test.com/?q=123456", FILTER_VALIDATE_URL));
var_dump(filter_var("https://test.com?q=123456", FILTER_VALIDATE_URL));
var_dump(filter_var("https://test.com/?q=123/456", FILTER_VALIDATE_URL));
var_dump(filter_var("https://test.com?q=123/456", FILTER_VALIDATE_URL));

Expected result:
----------------
string 'https://test.com/?q=123456' (length=26)
string 'https://test.com?q=123456' (length=25)
string 'https://test.com/?q=123/456' (length=27)
string 'https://test.com?q=123/456' (length=26)

Actual result:
--------------
string 'https://test.com/?q=123456' (length=26)
string 'https://test.com?q=123456' (length=25)
string 'https://test.com/?q=123/456' (length=27)
boolean false

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-07-07 12:36 UTC] mail at pmmaga dot net

The issue seems to be fixed since 7.0.13: https://3v4l.org/Tmg17

[2017-07-07 12:51 UTC] benedikt at piwnica dot de

-Status: Open +Status: Closed

[2017-07-07 12:51 UTC] benedikt at piwnica dot de

Is fixed since 7.0.13!
Thanks for the comment.

[2017-07-07 12:55 UTC] requinix@php.net

-Status: Closed +Status: Duplicate

[2017-07-07 12:55 UTC] requinix@php.net

The URL filter actually parses the string, which puts this in bug #73192 territory.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2026 The PHP Group All rights reserved.	Last updated: Thu Jan 01 12:00:01 2026 UTC