php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #42869 URL rewrite mechanism - data sent to foreign sites
Submitted: 2007-10-05 16:11 UTC Modified: 2007-10-10 00:36 UTC
From: mpub at meiners-online dot de Assigned: iliaa (profile)
Status: Closed Package: Output Control
PHP Version: 5.2.4 OS: Linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: mpub at meiners-online dot de
New email:
PHP Version: OS:

 

 [2007-10-05 16:11 UTC] mpub at meiners-online dot de
Description:
------------
When I use output_add_rewrite_var($key, $value), it also adds a hidden field containing $key and $value to forms which have an absolute URL as action-attribute of the form-tag.

The transparent session-ID support (using the directive session.use_trans_sid) is also affected.

I also reported this problem as 42804 in the session-section and was a bit shocked about the answer that I simply shouldn't use the feature and the classification "bogus". This section is maybe better anyway.



The configure-line of my provider:

../configure --program-suffix=5 --with-pear=/usr/local/lib/php5 --with-config-file-path=/usr/local/lib/php5 --with-libxml-dir=/usr/local/php5 --with-mysqli=/usr/local/mysql/bin/mysql_config --enable-soap --with-xsl=/usr/local/php5 --enable-mbstring=all --with-curl=/usr/local/php5 --with-mcrypt=/usr/local/php5 --with-gd --with-pdo-mysql=/usr/local/mysql --with-freetype-dir --with-libxml-dir=/usr/local/php5 --with-mysql=/usr/local/mysql --with-zlib --enable-debug=no --enable-safe-mode=no --enable-discard-path=no --with-png-dir=/usr/lib --enable-track-vars --with-db --with-gdbm --enable-force-cgi-redirect --with-ttf=/usr/ --enable-ftp --enable-dbase --enable-memory-limit --enable-calendar --enable-wddx --with-jpeg-dir=/usr/src/kundenserver/jpeg-6b --enable-bcmath --enable-gd-imgstrttf --enable-shmop --enable-mhash --with-mhash=/usr/src/kundenserver/mhash-0.8.9/ --with-openssl --enable-xslt --with-xslt-sablot --with-dom --with-dom-xslt --with-dom-exslt --with-imap --with-iconv=/usr/local --with-bz2 --with-gettext --enable-exif --with-idn --with-sqlite --enable-sqlite-utf8

Reproduce code:
---------------
output_add_rewrite_var('sessionID','12345');

?>
Type in your city to get to know how you can find us:
<form action="http://www.carRoutes.com/search.php">
<input type="text" name="city" />
<input type="submit" />
</form>
<?php

Expected result:
----------------
I expect to get the form unchanged as output because the manual says "Please note that absolute URLs (http://example.com/..) aren't rewritten."

Actual result:
--------------
The output is:

Type in your city to get to know how you can find us:
<form action="http://www.carRoutes.com/search.php"><input type="hidden" name="sessionID" value="12345" />
<input type="text" name="city" />
<input type="submit" />
</form>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-10-10 00:36 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Dec 12 18:01:26 2024 UTC