php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #71946 THE FUNCTION FILTER_VALIDATE_URL is not validating the the Protocol of a URL.
Submitted: 2016-04-01 16:28 UTC Modified: 2016-04-03 02:30 UTC
From: bharatsewani1993 at gmail dot com Assigned:
Status: Not a bug Package: filter (PECL)
PHP Version: 5.6.20 OS: WINDOWS/LINUX
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
6 + 33 = ?
Subscribe to this entry?

 
 [2016-04-01 16:28 UTC] bharatsewani1993 at gmail dot com
Description:
------------
The function FILTER_VALIDATE_URL is not validating the the Protocol of a URL.. Even if Its Compulsory to Pass Protocol to the function
example:
$url="fakeprotocol.fakedata.fakething.fakename.randomestring://www.google.com";
$r = filter_var($url, FILTER_VALIDATE_URL);
the Above code Always Return True.. But is Should Be FALSE. coz of it's wrong protocol part & IT'S NOT A Valid Url 


Test script:
---------------
<?php
$url="fake.fake.fake.fake.fake.proto://www.google.com";
$r = filter_var($url, FILTER_VALIDATE_URL);
if($r)
{
   echo "Valid Url";
}
else
{
  echo "Invalid url";
}
?>

Expected result:
----------------
if Protocol part of URL is in Invalid format It should not Return True..
coz url is Not Valid..
But the Above code is always Return "Valid url" as Output


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-04-03 02:26 UTC] kalle@php.net
-Type: Security +Type: Bug
 [2016-04-03 02:30 UTC] kalle@php.net
-Status: Open +Status: Not a bug
 [2016-04-03 02:30 UTC] kalle@php.net
Filters are purely validating based on syntax, periods in protocols are also perfectly valid.

If you wish to validate the actual type of the protocol, then take a look at http://php.net/parse_url and manually compare it, like so:

C:\dev\php-src>php -r "$valid_protos = ['http', 'https']; $proto = strtolower(pa
rse_url($argv[1], PHP_URL_SCHEME)); var_dump(in_array($proto, $valid_protos));"
http://www.google.com/
bool(true)

C:\dev\php-src>php -r "$valid_protos = ['http', 'https']; $proto = strtolower(pa
rse_url($argv[1], PHP_URL_SCHEME)); var_dump(in_array($proto, $valid_protos));"
https://www.google.com/
bool(true)

C:\dev\php-src>php -r "$valid_protos = ['http', 'https']; $proto = strtolower(pa
rse_url($argv[1], PHP_URL_SCHEME)); var_dump(in_array($proto, $valid_protos));"
httpc://www.google.com/
bool(false)
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Wed Jan 19 12:03:16 2022 UTC