php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #42729 $_SERVER['HTTP_X_ORIGINAL_URI'] can be overridden
Submitted: 2007-09-21 15:55 UTC Modified: 2007-09-21 16:43 UTC
From: php dot 20 dot zsh at spamgourmet dot com Assigned:
Status: Not a bug Package: *General Issues
PHP Version: 5.2.4 OS: *
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: php dot 20 dot zsh at spamgourmet dot com
New email:
PHP Version: OS:

 

 [2007-09-21 15:55 UTC] php dot 20 dot zsh at spamgourmet dot com 
Description:
------------
HTTP_X_ORIGINAL_URI can be overriden by sending a X-Original-URI header. I think that shouldn't be possible... afaik it has nothing to do with request headers, since it's set even if I only provide a Host-Header.

Reproduce code:
---------------
X-Original-URI: javascript:alert(document.cookie)

<?php
echo '<a href="' . $_SERVER['HTTP_X_ORIGINAL_URI'] . '">Try again</a>';
?>


Expected result:
----------------
<a href="http://my-domain.com/script.php">Try again</a>


Actual result:
--------------
<a href="javascript:alert(document.cookie)">Try again</a>

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-09-21 16:43 UTC] scottmac@php.net 
Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions.  Due to the volume
of reports we can not explain in detail here why your report is not
a bug.  The support channels will be able to provide an explanation
for you.

Thank you for your interest in PHP.

All HTTP_X headers come from the webserver which ultimately come from the user and shouldn't be trusted.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Tue Apr 30 21:01:30 2024 UTC