|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #19160 fopen doesn't remove space, CR, LF from URL's
Submitted: 2002-08-28 18:35 UTC Modified: 2002-09-10 04:37 UTC
Avg. Score:3.3 ± 1.7
Reproduced:1 of 2 (50.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: ulfh at update dot uu dot se Assigned: derick (profile)
Status: Closed Package: HTTP related
PHP Version: 4.2.2 OS: Linux (Red Hat, Debian)
Private report: No CVE-ID: None
 [2002-08-28 18:35 UTC] ulfh at update dot uu dot se
As you know, you can use URL's in fopen(), file() etc when allow_url_fopen is On. Unfortunately, PHP doesn't remove spaces, tabs, CR or LF characters from the URL before constructing an HTTP query. This means that we can add arbitrary HTTP headers to the URL, like this:


$fp = fopen(" HTTP/1.0\n".
            "User-Agent: Nozilla/0.0\n".
            "Cookie: user=ulf\n\n", "r");


This program will display the contents of instead of, if they live on the same virtual host.

You can also use it for communication with other types of servers than HTTP servers:


$fp = fopen(" HTTP/1.0\n".
            "HELO my.own.machine\n".
            "MAIL FROM: <user@my.own.machine>\n".
            "RCPT TO: <>\n".
            "From: user@my.own.machine\n".
            "Subject: This is..\n\n".
            "This is a URL that sends an e-mail (?).\n".
            "QUIT\n\n", "r");


Both the mail server and PHP will complain, but the mail still gets sent.

This can even lead to a security hole in a program like this:


$fp = fopen("$path", "r");


because it allows the user to break out of restrictions and access some other site than

I have verified this behaviour in PHP 4.1.2, 4.2.2 and a CVS checkout from a few days ago. You fix it by removing all spaces, tabs, CR characters and LF characters from the URL's.

// Ulf Harnhammar


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2002-08-28 18:51 UTC]
Seems like a feature to me.  Should probably be documented if we keep it, but there are many examples of functions in PHP that you should not be sending raw user data to.  Things like exec(), include(), readfile() and fopen() in the non-URL sense all need their inputs sanitized.
 [2002-08-28 18:59 UTC] ulfh at update dot uu dot se
Well, I disagree. URL's don't have any field for setting cookies or user agents, so being able to do that from a field that claims to contain a URL is a bug in my opinion.

// Ulf Harnhammar
 [2002-08-29 01:31 UTC]
I disagree too, assiging to me.

 [2002-09-10 04:37 UTC]
This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at
In case this was a documentation problem, the fix will show up soon at

In case this was a website problem, the change will show
up on the site and on the mirror sites in short time.
Thank you for the report, and for helping us make PHP better.

PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Wed Jun 23 15:01:23 2021 UTC