php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #71822 parse_url on 7.1.0-dev returns false where password contains a `-` character
Submitted: 2016-03-14 13:40 UTC Modified: 2018-12-18 08:13 UTC
Votes:8
Avg. Score:4.0 ± 0.9
Reproduced:6 of 6 (100.0%)
Same Version:3 (50.0%)
Same OS:1 (16.7%)
From: nigel dot greenway at futurepixels dot co dot uk Assigned: stas (profile)
Status: Closed Package: *URL Functions
PHP Version: Next Major Version OS: Linux - BunsenLabs
Private report: No CVE-ID: None
View Developer Edit
 [2016-03-14 13:40 UTC] nigel dot greenway at futurepixels dot co dot uk 
Description:
------------
Passing hyphenated username and passwords as part of a url to `url_parse` returns false.

Test script:
---------------
<?php

var_dump(
	parse_url('http://some:password@ex-ample.co.uk'),
	parse_url('http://so-me:password@192.168.0.123'),
	parse_url('http://some:pass-word@192.168.0.123')
);

Expected result:
----------------
array(4) {
  ["scheme"]=>
  string(4) "http"
  ["host"]=>
  string(14) "ex-ample.co.uk"
  ["user"]=>
  string(4) "some"
  ["pass"]=>
  string(8) "password"
}
array(4) {
  ["scheme"]=>
  string(4) "http"
  ["host"]=>
  string(14) "192.168.0.123"
  ["user"]=>
  string(4) "so-me"
  ["pass"]=>
  string(8) "password"
}
array(4) {
  ["scheme"]=>
  string(4) "http"
  ["host"]=>
  string(14) "192.168.0.123"
  ["user"]=>
  string(4) "some"
  ["pass"]=>
  string(8) "pass-word"
}

Actual result:
--------------
array(4) {
  ["scheme"]=>
  string(4) "http"
  ["host"]=>
  string(14) "ex-ample.co.uk"
  ["user"]=>
  string(4) "some"
  ["pass"]=>
  string(8) "password"
}
bool(false)
bool(false)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-03-14 13:52 UTC] derick@php.net 
I've tried this and can reproduce this. It's changed from PHP 7.0.3 where having a - works fine.
 [2016-03-15 07:09 UTC] yohgaki@php.net 
https://3v4l.org/UusRf
It seems released versions are fine.

 unreserved  = ALPHA / DIGIT / "-" / "." / "_" / "~"
 pct-encoded = "%" HEXDIG HEXDIG
 sub-delims  = "!" / "$" / "&" / "'" / "(" / ")"
                  / "*" / "+" / "," / ";" / "="
 userinfo    = *( unreserved / pct-encoded / sub-delims / ":" )
https://www.ietf.org/rfc/rfc3986.txt

"so-me:pass-word" should be valid username and password.

According to the RFC, "Use of the format "user:password" in the userinfo field is deprecated.", but we need to support this format anyway.
 [2016-09-07 14:51 UTC] andi at splitbrain dot org 
The same problem occurs with a space in the password. I am aware that this might not be a valid URL as is (space should be escaped) however this used to work on PHP 7.0

<?php                                                                                                                   
$x = parse_url('http://foo:foo bar@example.com/');                                                                      
var_dump($x);
?>
 [2016-10-07 20:16 UTC] cilefen at gmail dot com 
This is causing test failures in Drupal 8 HEAD, https://www.drupal.org/node/2813981.
 [2016-10-07 20:39 UTC] cilefen at gmail dot com 
Underscores "_" also cause a return of false.
 [2016-10-12 14:35 UTC] cilefen at gmail dot com 
It looks like the commit that caused this was reverted: https://github.com/php/php-src/commit/1c468ee044289661c8c4118a0653222596668432
 [2018-12-18 08:13 UTC] stas@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: stas
 [2018-12-18 08:13 UTC] stas@php.net 
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri May 09 10:01:28 2025 UTC