php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #62159 All ports greater than 65535 in parse_url
Submitted: 2012-05-25 15:18 UTC Modified: 2012-05-29 12:07 UTC
Votes:4
Avg. Score:2.5 ± 0.9
Reproduced:3 of 3 (100.0%)
Same Version:2 (66.7%)
Same OS:2 (66.7%)
From: mfsole at hotmail dot com Assigned:
Status: Open Package: URL related
PHP Version: 5.3.13 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
MUST BE VALID
Solve the problem:
17 + 23 = ?
Subscribe to this entry?

 
 [2012-05-25 15:18 UTC] mfsole at hotmail dot com 
Description:
------------
Currently the parse_url function only recognizes ports from 0-65535. Firstly this 
isn't really documented on the site. Secondly, while it is true that valid port 
numbers for http requests are less than 65535 there are other types of URLs which 
have port numbers that can exceed that limit. This is very common in the SMS world 
as the port number is used to indicate short code. Here is an example:

ctpp://ericsson:78325/?carrier=31003&address=2125551212

I don't see any real benefit to limiting the port number, more over the function 
appears to arbitrarily rewrite the port number. So the above example gets reported 
as 12789.

Best case scenario would be to just allow numbers of any size. PHP is understood 
to be loosely type so enforcing type here is inconsistent. At the very least 
document the behavior on the site (I will add post to the function for others). 

Test script:
---------------
<?php
$url = 'ctpp://ericsson:78325/?carrier=31003&address=2125551212';
$parsedURL = parse_url($url);
var_dump($parsedURL);



Expected result:
----------------
array (size=5)
  'scheme' => string 'ctpp' (length=4)
  'host' => string 'ericsson' (length=8)
  'port' => int 78325
  'path' => string '/' (length=1)
  'query' => string 'carrier=31003&address=2125551212' (length=32)

Actual result:
--------------
array (size=5)
  'scheme' => string 'ctpp' (length=4)
  'host' => string 'ericsson' (length=8)
  'port' => int 12789
  'path' => string '/' (length=1)
  'query' => string 'carrier=31003&address=2125551212' (length=32)

Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-05-25 19:29 UTC] riptide dot tempora at opinehub dot com 
https://en.wikipedia.org/wiki/Goatse_Security#Browser_vulnerabilities <-- relevant
 [2012-05-29 02:51 UTC] kriss at krizalys dot com 
I have the same behavior with older PHP 5.3.5/Windows 7 x64

However, I noticed that PHP 5.3.13/Gentoo x86_64 is even more strict and returns FALSE (meaning "really bad-formed URL" according to the doc) for the given URL. The port is the reason of this failure because changing it to something in the range 0 - 65535 will return the expected information.
 [2012-05-29 12:07 UTC] mfsole at hotmail dot com 
Well returning false would be a better behavior than returning an arbitrary 
number. However I was forced to switch to the Pear package Net_URL2 which does not 
have this behavior.

Again, I need to stress that valid port numbers  are only relavant when making TCP 
requests (ssh, http, https, etc) but URLs are used for other things, like the 
examples I gave.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Apr 18 15:01:28 2024 UTC