|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #68296 \n in path with parse_url() converts to underscore
Submitted: 2014-10-24 06:14 UTC Modified: -
Avg. Score:3.6 ± 0.8
Reproduced:4 of 4 (100.0%)
Same Version:1 (25.0%)
Same OS:0 (0.0%)
From: dave at lyte dot id dot au Assigned:
Status: Open Package: URL related
PHP Version: 5.4.34 OS: OS X
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: dave at lyte dot id dot au
New email:
PHP Version: OS:


 [2014-10-24 06:14 UTC] dave at lyte dot id dot au
Basically if you're parsing a random HTML sometimes users will put new lines in the href attribute of a tags, browsers ignore the new line, but PHP converts it to an underscore.

Test script:
$ php -r 'var_export(parse_url("\nbar"));'

Expected result:
The expected output is:
$ php -r 'var_export(parse_url("\nbar"));'
array (
  'scheme' => 'http',
  'host' => '',
  'path' => '/foobar',

Actual result:
The actual output is:
$ php -r 'var_export(parse_url("\nbar"));'
array (
  'scheme' => 'http',
  'host' => '',
  'path' => '/foo_bar',


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2016-01-15 08:11 UTC] simonsimcity at gmail dot com
Is related to #68296
 [2016-01-15 08:11 UTC] simonsimcity at gmail dot com
Sorry, I meant related to #52923
 [2018-01-11 19:01 UTC] gonzad26 at gmail dot com
The problem still persists in php 5.6.
Doing: parse_url($path,PHP_URL_HOST);

if $path has a "\n" parse_url returns and _ where the \n was.
 [2018-01-11 19:05 UTC] spam2 at rhsoft dot net
besides PHP5 is EOL what do you expect?
garbage in, garbage out!

control chars don't belong into a url - it's that simple and if you don't sanitze and validate your input data be happy that someone does

what do you think happens with null chars and freinds if you concat your remote URL based on userinput and obviously don't care about handle untrusted data careful?
 [2018-01-11 20:25 UTC] gonzad26 at gmail dot com
Pardon me, bug still in PHP 7.1.7.
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sun Jun 16 06:01:30 2019 UTC