php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #75356 parse_url filtering does not match CURL filtering
Submitted: 2017-10-10 18:38 UTC Modified: 2017-10-10 21:05 UTC
From: mattshockl at gmail dot com Assigned:
Status: Not a bug Package: URL related
PHP Version: 7.1.10 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: mattshockl at gmail dot com
New email:
PHP Version: OS:

 

 [2017-10-10 18:38 UTC] mattshockl at gmail dot com 
Description:
------------
Similarly to https://bugs.php.net/bug.php?id=73192, parse_url parsing mismatches the parsing of the curl module.  By crafting a special url like "badwebsite.com:/secrets.php", parse_url will parse and return "badwebsite.com" as the schema, while curl will execute with "badwebsite.com" as the hostname.  For sites filtering on parse_url hostname, this could be seen as a security issue/bypass.  See the test script for an example. 

Test script:
---------------
$blacklist = array("google.com", "badwebsite.com");

$url = $_GET['url']; /* url=badwebsite.com:/secrets.php */
$parsed = parse_url($url);

if (isset($parsed['host']) && in_array($parsed['host'], $blacklist))
{
    echo "bad hacker";
    exit();
}

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_COOKIE, "nuke_launch_codes=31-133-37");
curl_exec($ch);
curl_close($ch);


Expected result:
----------------
With url=badwebsite.com:/secrets.php, the expected result should be "bad hacker."

Actual result:
--------------
With url=badwebsite.com:/secrets.php, the actual result is the HTML of badwebsite.com/secrets.php

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-10-10 21:05 UTC] requinix@php.net
-Status: Open +Status: Not a bug -Package: Filter related +Package: URL related
 [2017-10-10 21:05 UTC] requinix@php.net 
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

http://php.net/manual/en/function.parse-url.php
> This function is not meant to validate the given URL

http://php.net/manual/en/function.filter-var.php
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Dec 27 05:01:27 2024 UTC