php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #51642 FILTER_VALIDATE_URL should fail if an invalid IP address is used
Submitted: 2010-04-23 09:48 UTC Modified: 2012-02-15 04:04 UTC
Votes:122
Avg. Score:3.0 ± 0.3
Reproduced:4 of 24 (16.7%)
Same Version:65538 (1638450.0%)
Same OS:65538 (1638450.0%)
From: graham at grahamweldon dot com Assigned:
Status: Open Package: Filter related
PHP Version: 5.2.13 OS: OSX 10.5.3
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2010-04-23 09:48 UTC] graham at grahamweldon dot com
Description:
------------
Tested using PHP 5.2.13 and PHP 5.3.1
Supply of an invalid IP address as the host part of a URL passes the filter_var 
validation.

I propose that validation should fail if an invalid IP address is provided in URL 
validation.

Test script:
---------------
var_dump(filter_var('http://999.123.999.123', FILTER_VALIDATE_URL));


Expected result:
----------------
bool(false)

Actual result:
--------------
string(22) "http://999.123.999.123"

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-04-26 03:08 UTC] graham at grahamweldon dot com
-Operating System: OSX 10.5.6 +Operating System: OSX 10.5.3
 [2010-04-26 03:08 UTC] graham at grahamweldon dot com
Fixed OSX Veron number in report.
 [2012-02-14 22:22 UTC] hairmare at purplehaze dot ch
FILTER_VALIDATE_URL implements RFC2396 (which does not even mention ip 
validation). Have you considered ANDing FILTER_VALIDATE_URL with 
FILTER_VALIDATE_IP like so:

<?php
$url = 'http://999.123.999.123';
var_dump(
    filter_var($url, FILTER_VALIDATE_URL) && 
    filter_var(parse_url($url, PHP_URL_HOST), FILTER_VALIDATE_IP)
);
 [2012-02-15 00:07 UTC] rasmus@php.net
-Type: Feature/Change Request +Type: Documentation Problem
 [2012-02-15 00:07 UTC] rasmus@php.net
This is more of a documentation issue than an actual feature request.
 [2012-02-15 01:26 UTC] graham at grahamweldon dot com
I think it becomes a documentation issue, if the request to add IP validation as 
part of the FILTER_VALIDATE_URL is declined.
 [2012-02-15 04:04 UTC] rasmus@php.net
-Type: Documentation Problem +Type: Feature/Change Request
 [2012-02-15 04:04 UTC] rasmus@php.net
I'll put it back to a feature request. I do agree it would be useful to have an 
RFC3986 validator. This code was written prior to that RFC. RFC2396 doesn't 
specify validating the dotted-decimal IPv4 syntax, but RFC3986 does along with 
introducing IPv6-support, of course.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Wed Oct 23 15:01:31 2019 UTC