php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #71822 parse_url on 7.1.0-dev returns false where password contains a `-` character
Submitted: 2016-03-14 13:40 UTC Modified: 2016-03-15 07:09 UTC
Votes:8
Avg. Score:4.0 ± 0.9
Reproduced:6 of 6 (100.0%)
Same Version:3 (50.0%)
Same OS:1 (16.7%)
From: nigel dot greenway at futurepixels dot co dot uk Assigned:
Status: Open Package: *URL Functions
PHP Version: Next Major Version OS: Linux - BunsenLabs
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2016-03-14 13:40 UTC] nigel dot greenway at futurepixels dot co dot uk
Description:
------------
Passing hyphenated username and passwords as part of a url to `url_parse` returns false.

Test script:
---------------
<?php

var_dump(
	parse_url('http://some:password@ex-ample.co.uk'),
	parse_url('http://so-me:password@192.168.0.123'),
	parse_url('http://some:pass-word@192.168.0.123')
);

Expected result:
----------------
array(4) {
  ["scheme"]=>
  string(4) "http"
  ["host"]=>
  string(14) "ex-ample.co.uk"
  ["user"]=>
  string(4) "some"
  ["pass"]=>
  string(8) "password"
}
array(4) {
  ["scheme"]=>
  string(4) "http"
  ["host"]=>
  string(14) "192.168.0.123"
  ["user"]=>
  string(4) "so-me"
  ["pass"]=>
  string(8) "password"
}
array(4) {
  ["scheme"]=>
  string(4) "http"
  ["host"]=>
  string(14) "192.168.0.123"
  ["user"]=>
  string(4) "some"
  ["pass"]=>
  string(8) "pass-word"
}

Actual result:
--------------
array(4) {
  ["scheme"]=>
  string(4) "http"
  ["host"]=>
  string(14) "ex-ample.co.uk"
  ["user"]=>
  string(4) "some"
  ["pass"]=>
  string(8) "password"
}
bool(false)
bool(false)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-03-14 13:52 UTC] derick@php.net
I've tried this and can reproduce this. It's changed from PHP 7.0.3 where having a - works fine.
 [2016-03-15 07:09 UTC] yohgaki@php.net
https://3v4l.org/UusRf
It seems released versions are fine.

 unreserved  = ALPHA / DIGIT / "-" / "." / "_" / "~"
 pct-encoded = "%" HEXDIG HEXDIG
 sub-delims  = "!" / "$" / "&" / "'" / "(" / ")"
                  / "*" / "+" / "," / ";" / "="
 userinfo    = *( unreserved / pct-encoded / sub-delims / ":" )
https://www.ietf.org/rfc/rfc3986.txt

"so-me:pass-word" should be valid username and password.

According to the RFC, "Use of the format "user:password" in the userinfo field is deprecated.", but we need to support this format anyway.
 [2016-09-07 14:51 UTC] andi at splitbrain dot org
The same problem occurs with a space in the password. I am aware that this might not be a valid URL as is (space should be escaped) however this used to work on PHP 7.0

<?php                                                                                                                   
$x = parse_url('http://foo:foo bar@example.com/');                                                                      
var_dump($x);
?>
 [2016-10-07 20:16 UTC] cilefen at gmail dot com
This is causing test failures in Drupal 8 HEAD, https://www.drupal.org/node/2813981.
 [2016-10-07 20:39 UTC] cilefen at gmail dot com
Underscores "_" also cause a return of false.
 [2016-10-12 14:35 UTC] cilefen at gmail dot com
It looks like the commit that caused this was reverted: https://github.com/php/php-src/commit/1c468ee044289661c8c4118a0653222596668432
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC