PHP :: Bug #71946 :: THE FUNCTION FILTER_VALIDATE_URL is not validating the the Protocol of a URL.

Bug #71946	THE FUNCTION FILTER_VALIDATE_URL is not validating the the Protocol of a URL.
Submitted:	2016-04-01 16:28 UTC	Modified:	2016-04-03 02:30 UTC
From:	bharatsewani1993 at gmail dot com	Assigned:
Status:	Not a bug	Package:	filter (PECL)
PHP Version:	5.6.20	OS:	WINDOWS/LINUX
Private report:	No	CVE-ID:	None

View Developer Edit

[2016-04-01 16:28 UTC] bharatsewani1993 at gmail dot com

Description:
------------
The function FILTER_VALIDATE_URL is not validating the the Protocol of a URL.. Even if Its Compulsory to Pass Protocol to the function
example:
$url="fakeprotocol.fakedata.fakething.fakename.randomestring://www.google.com";
$r = filter_var($url, FILTER_VALIDATE_URL);
the Above code Always Return True.. But is Should Be FALSE. coz of it's wrong protocol part & IT'S NOT A Valid Url 


Test script:
---------------
<?php
$url="fake.fake.fake.fake.fake.proto://www.google.com";
$r = filter_var($url, FILTER_VALIDATE_URL);
if($r)
{
   echo "Valid Url";
}
else
{
  echo "Invalid url";
}
?>

Expected result:
----------------
if Protocol part of URL is in Invalid format It should not Return True..
coz url is Not Valid..
But the Above code is always Return "Valid url" as Output

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-04-03 02:26 UTC] kalle@php.net

-Type: Security +Type: Bug

[2016-04-03 02:30 UTC] kalle@php.net

-Status: Open +Status: Not a bug

[2016-04-03 02:30 UTC] kalle@php.net

Filters are purely validating based on syntax, periods in protocols are also perfectly valid.

If you wish to validate the actual type of the protocol, then take a look at http://php.net/parse_url and manually compare it, like so:

C:\dev\php-src>php -r "$valid_protos = ['http', 'https']; $proto = strtolower(pa
rse_url($argv[1], PHP_URL_SCHEME)); var_dump(in_array($proto, $valid_protos));"
http://www.google.com/
bool(true)

C:\dev\php-src>php -r "$valid_protos = ['http', 'https']; $proto = strtolower(pa
rse_url($argv[1], PHP_URL_SCHEME)); var_dump(in_array($proto, $valid_protos));"
https://www.google.com/
bool(true)

C:\dev\php-src>php -r "$valid_protos = ['http', 'https']; $proto = strtolower(pa
rse_url($argv[1], PHP_URL_SCHEME)); var_dump(in_array($proto, $valid_protos));"
httpc://www.google.com/
bool(false)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Nov 01 19:00:02 2025 UTC