php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #42729 $_SERVER['HTTP_X_ORIGINAL_URI'] can be overridden
Submitted: 2007-09-21 15:55 UTC Modified: 2007-09-21 16:43 UTC
From: php dot 20 dot zsh at spamgourmet dot com Assigned:
Status: Not a bug Package: *General Issues
PHP Version: 5.2.4 OS: *
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: php dot 20 dot zsh at spamgourmet dot com
New email:
PHP Version: OS:

 

 [2007-09-21 15:55 UTC] php dot 20 dot zsh at spamgourmet dot com
Description:
------------
HTTP_X_ORIGINAL_URI can be overriden by sending a X-Original-URI header. I think that shouldn't be possible... afaik it has nothing to do with request headers, since it's set even if I only provide a Host-Header.

Reproduce code:
---------------
X-Original-URI: javascript:alert(document.cookie)

<?php
echo '<a href="' . $_SERVER['HTTP_X_ORIGINAL_URI'] . '">Try again</a>';
?>


Expected result:
----------------
<a href="http://my-domain.com/script.php">Try again</a>


Actual result:
--------------
<a href="javascript:alert(document.cookie)">Try again</a>


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-09-21 16:43 UTC] scottmac@php.net
Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions.  Due to the volume
of reports we can not explain in detail here why your report is not
a bug.  The support channels will be able to provide an explanation
for you.

Thank you for your interest in PHP.

All HTTP_X headers come from the webserver which ultimately come from the user and shouldn't be trusted.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Oct 06 17:01:27 2024 UTC