php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69000 http\Url in 2.2.0 breaks down with very long URL query strings
Submitted: 2015-02-07 02:21 UTC Modified: 2015-02-07 11:27 UTC
From: p at wspnr dot com Assigned: mike (profile)
Status: Closed Package: pecl_http (PECL)
PHP Version: 5.6.5 OS: Linux
Private report: No CVE-ID: None
 [2015-02-07 02:21 UTC] p at wspnr dot com
Description:
------------
When passing a very long URL string to the http\Url constructor, very strange behaviour was observed. It seems like something is writing past the end of a buffer?

The original observation from an actual application was that URLs with short query strings (< 200 characters) were behaving normally, URLs with medium-sized query strings had junk data in $url->query and URLs with large query strings (1000+ characters) had nothing in $url->query.

Furthermore, the resulting object (with a URL containing more than 200 characters or so) exhibited strange behaviour: reading $url->path while within the same method that created the http\Url object was fine, but passing the object as a parameter to a different method would result in incorrect data being read.

No errors or exceptions.

I ran a quick test script, and it seems that there is a breakdown when the protocol + host + path + query component is longer than 192 characters. Playing around with the different URL parts gave me different results.

Upgraded pecl_http to 2.2.0 from 2.1.4. This bug was NOT observed in 2.1.4. Built from PECL sources with libz 1.2.8, libcurl 7.38.0, libevent 2.0.21.

Test script:
---------------
for($i = 1; $i < 1000; $i++) {
    echo $i, "|", ($i + 24), PHP_EOL;
    $url = new \http\Url("http://www.example.com/?" . str_repeat("a", $i));
    echo $url->query, PHP_EOL, PHP_EOL;
}

Expected result:
----------------
1|25
a

2|26
aa

... snip ...

168|192
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

169|193
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

... snip ...

999|1023
a repeated 999 times

Actual result:
--------------
1|25
a

2|26
aa

... snip ...

168|192
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

169|193
t.php <-- Note that this file is named 'bug-test.php', this is part of the file name
... snip ...

999|1023
t.php

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-02-07 07:36 UTC] mike@php.net
-Assigned To: +Assigned To: mike
 [2015-02-07 11:20 UTC] mike@php.net
Automatic comment on behalf of mike
Revision: http://git.php.net/?p=pecl/http/pecl_http.git;a=commit;h=6a206380b376a202ed243dd730d4433186a55a1d
Log: Fixed Bug #69000 (http\Url breaks down with very long URL query strings)
 [2015-02-07 11:20 UTC] mike@php.net
-Status: Assigned +Status: Closed
 [2015-02-07 11:27 UTC] mike@php.net
I just released 2.2.1 with the fix.

Thank you for the report!
 [2015-02-07 11:30 UTC] mike@php.net
Automatic comment on behalf of mike
Revision: http://git.php.net/?p=pecl/http/pecl_http.git;a=commit;h=6a206380b376a202ed243dd730d4433186a55a1d
Log: Fixed Bug #69000 (http\Url breaks down with very long URL query strings)
 [2015-02-08 20:44 UTC] mike@php.net
Automatic comment on behalf of mike
Revision: http://git.php.net/?p=pecl/http/pecl_http.git;a=commit;h=6a206380b376a202ed243dd730d4433186a55a1d
Log: Fixed Bug #69000 (http\Url breaks down with very long URL query strings)
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Thu Dec 01 22:03:46 2022 UTC