php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69670 bad url filtering with filer_flag_host_required
Submitted: 2015-05-20 09:48 UTC Modified: 2015-05-20 11:44 UTC
From: alexglue at gmail dot com Assigned: cmb (profile)
Status: Not a bug Package: Variables related
PHP Version: 5.6Git-2015-05-20 (Git) OS: ubuntu 14.04
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: alexglue at gmail dot com
New email:
PHP Version: OS:

 

 [2015-05-20 09:48 UTC] alexglue at gmail dot com
Description:
------------
---
From manual page: http://www.php.net/function.filter-var
---
With test script usage we'll got this:

result:
http:///path/by/path?query=124
/path/by/path?query=124

instead of false value;

my php version is "PHP 5.5.9-1ubuntu4.7 (cli) (built: Mar 16 2015 20:47:39)"

Test script:
---------------
<?php
$uri = 'http:///path/by/path?query=124';
$uri = filter_var($uri, FILTER_SANITIZE_URL, FILTER_FLAG_HOST_REQUIRED);
var_dump($uri);

$uri = '/path/by/path?query=124';
$uri = filter_var($uri, FILTER_SANITIZE_URL, FILTER_FLAG_HOST_REQUIRED);
var_dump($uri);

?>

Expected result:
----------------
Expected false value when no hostname provided and FILTER_FLAG_HOST_REQUIRED option set;


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-05-20 11:44 UTC] cmb@php.net
-Status: Open +Status: Not a bug -Package: *General Issues +Package: Variables related -Assigned To: +Assigned To: cmb
 [2015-05-20 11:44 UTC] cmb@php.net
The sanitize filters are not meant to do validation. Especially,
FILTER_SANITIZE_URL doesn't accept the FILTER_FLAG_*_REQUIRED
flags. Compare that to FILTER_VALIDATE_URL[1].
(FILTER_FLAG_SCHEME_REQUIRED and FILTER_FLAG_HOST_REQUIRED are not
listed there, but that has already been reported as bug #66938.)

See also <http://3v4l.org/jTcfW>.

[1] <http://php.net/manual/en/filter.filters.validate.php>
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu May 30 07:01:30 2024 UTC