php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #64582 file_get_contents() handles redirects wrong
Submitted: 2013-04-04 14:55 UTC Modified: 2021-10-04 17:04 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: spam2 at rhsoft dot net Assigned:
Status: Open Package: Streams related
PHP Version: 5.4.13 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: spam2 at rhsoft dot net
New email:
PHP Version: OS:

 

 [2013-04-04 14:55 UTC] spam2 at rhsoft dot net
Description:
------------
[line "182"] [id "950103"] [msg "path traversal attack"] [data "../"] [hostname "test.test.rh"] [uri "/contentlounge/updateservice/cms_demo/cms//../cms.php"] [unique_id "UV2MrQoAAGMAAE356XkAAAAF"]


in the folder /cms is a simple index.php with header('Location: ../cms.php');
every normal browser translates path and does not trigger modsec
php triggers the "path traversal"-rule


Expected result:
----------------
call the URL /contentlounge/updateservice/cms_demo/cms/cms.php

Actual result:
--------------
calling the URL /contentlounge/updateservice/cms_demo/cms//../cms.php

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-04-04 15:53 UTC] johannes@php.net
RFC 2616 Section 14.30 requires "a single absolute URI." for the location header. Any relative location is not standards compliant.
 [2013-04-04 15:57 UTC] spam2 at rhsoft dot net
i know that, but it is not that easy to generate everytime a full qualified URL and since any other http-client translates the ../ PHP should act the same way
 [2015-04-17 23:58 UTC] cmb@php.net
-Package: Scripting Engine problem +Package: Streams related
 [2015-04-17 23:58 UTC] cmb@php.net
RFC 7231 which obsoletes RFC 2616 allows relative references[1],
though. It seems to me that the http:// stream wrappers should
comply.

[1] <http://tools.ietf.org/html/rfc7231#section-7.1.2>
 [2021-10-04 17:04 UTC] cmb@php.net
-Type: Bug +Type: Feature/Change Request
 [2021-10-04 17:04 UTC] cmb@php.net
Still, not a bug, but rather a feature request.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Oct 15 22:01:26 2024 UTC