|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #64582 file_get_contents() handles redirects wrong
Submitted: 2013-04-04 14:55 UTC Modified: 2021-10-04 17:04 UTC
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: spam2 at rhsoft dot net Assigned:
Status: Open Package: Streams related
PHP Version: 5.4.13 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: spam2 at rhsoft dot net
New email:
PHP Version: OS:


 [2013-04-04 14:55 UTC] spam2 at rhsoft dot net
[line "182"] [id "950103"] [msg "path traversal attack"] [data "../"] [hostname "test.test.rh"] [uri "/contentlounge/updateservice/cms_demo/cms//../cms.php"] [unique_id "UV2MrQoAAGMAAE356XkAAAAF"]

in the folder /cms is a simple index.php with header('Location: ../cms.php');
every normal browser translates path and does not trigger modsec
php triggers the "path traversal"-rule

Expected result:
call the URL /contentlounge/updateservice/cms_demo/cms/cms.php

Actual result:
calling the URL /contentlounge/updateservice/cms_demo/cms//../cms.php


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2013-04-04 15:53 UTC]
RFC 2616 Section 14.30 requires "a single absolute URI." for the location header. Any relative location is not standards compliant.
 [2013-04-04 15:57 UTC] spam2 at rhsoft dot net
i know that, but it is not that easy to generate everytime a full qualified URL and since any other http-client translates the ../ PHP should act the same way
 [2015-04-17 23:58 UTC]
-Package: Scripting Engine problem +Package: Streams related
 [2015-04-17 23:58 UTC]
RFC 7231 which obsoletes RFC 2616 allows relative references[1],
though. It seems to me that the http:// stream wrappers should

[1] <>
 [2021-10-04 17:04 UTC]
-Type: Bug +Type: Feature/Change Request
 [2021-10-04 17:04 UTC]
Still, not a bug, but rather a feature request.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Apr 22 22:01:31 2024 UTC