|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #42869 URL rewrite mechanism - data sent to foreign sites
Submitted: 2007-10-05 16:11 UTC Modified: 2007-10-10 00:36 UTC
From: mpub at meiners-online dot de Assigned: iliaa (profile)
Status: Closed Package: Output Control
PHP Version: 5.2.4 OS: Linux
Private report: No CVE-ID: None
 [2007-10-05 16:11 UTC] mpub at meiners-online dot de
When I use output_add_rewrite_var($key, $value), it also adds a hidden field containing $key and $value to forms which have an absolute URL as action-attribute of the form-tag.

The transparent session-ID support (using the directive session.use_trans_sid) is also affected.

I also reported this problem as 42804 in the session-section and was a bit shocked about the answer that I simply shouldn't use the feature and the classification "bogus". This section is maybe better anyway.

The configure-line of my provider:

../configure --program-suffix=5 --with-pear=/usr/local/lib/php5 --with-config-file-path=/usr/local/lib/php5 --with-libxml-dir=/usr/local/php5 --with-mysqli=/usr/local/mysql/bin/mysql_config --enable-soap --with-xsl=/usr/local/php5 --enable-mbstring=all --with-curl=/usr/local/php5 --with-mcrypt=/usr/local/php5 --with-gd --with-pdo-mysql=/usr/local/mysql --with-freetype-dir --with-libxml-dir=/usr/local/php5 --with-mysql=/usr/local/mysql --with-zlib --enable-debug=no --enable-safe-mode=no --enable-discard-path=no --with-png-dir=/usr/lib --enable-track-vars --with-db --with-gdbm --enable-force-cgi-redirect --with-ttf=/usr/ --enable-ftp --enable-dbase --enable-memory-limit --enable-calendar --enable-wddx --with-jpeg-dir=/usr/src/kundenserver/jpeg-6b --enable-bcmath --enable-gd-imgstrttf --enable-shmop --enable-mhash --with-mhash=/usr/src/kundenserver/mhash-0.8.9/ --with-openssl --enable-xslt --with-xslt-sablot --with-dom --with-dom-xslt --with-dom-exslt --with-imap --with-iconv=/usr/local --with-bz2 --with-gettext --enable-exif --with-idn --with-sqlite --enable-sqlite-utf8

Reproduce code:

Type in your city to get to know how you can find us:
<form action="">
<input type="text" name="city" />
<input type="submit" />

Expected result:
I expect to get the form unchanged as output because the manual says "Please note that absolute URLs ( aren't rewritten."

Actual result:
The output is:

Type in your city to get to know how you can find us:
<form action=""><input type="hidden" name="sessionID" value="12345" />
<input type="text" name="city" />
<input type="submit" />


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2007-10-10 00:36 UTC]
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Feb 25 04:01:28 2024 UTC