php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72301 filter_var($url, FILTER_VALIDATE_URL) does not support scheme-relative URLs
Submitted: 2016-05-31 09:26 UTC Modified: 2016-12-22 10:18 UTC
Votes:11
Avg. Score:4.5 ± 0.8
Reproduced:11 of 11 (100.0%)
Same Version:2 (18.2%)
Same OS:1 (9.1%)
From: ian+php at ians-net dot co dot uk Assigned:
Status: Open Package: Filter related
PHP Version: 7.0.7 OS: irrelevant
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2016-05-31 09:26 UTC] ian+php at ians-net dot co dot uk
Description:
------------
RFC3986 allows scheme relative URLs, also termed network-path references. These are commonly used to ensure the appropriate protocol is used to fetch the resource regardless of whether the resource is embedded in a http or https page.

filter_var($url, FILTER_VALIDATE_URL) does not correctly validate these URLs

See also
 https://tools.ietf.org/html/rfc3986#section-4.2
 https://url.spec.whatwg.org/#syntax-url-scheme-relative

Test script:
---------------
var_dump(filter_var("//google.com/", FILTER_VALIDATE_URL));



Expected result:
----------------
bool(true)

Actual result:
--------------
bool(false)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-05-31 10:07 UTC] derick@php.net
If this gets added, it should be done with an optional (off by default) new flag.
 [2016-06-30 15:18 UTC] apokryfos84 at gmail dot com
The problem is that FILTER_VALIDATE_URL uses RFC 2396 which is older than RFC 3986. This would have been OK if the language was consistent in the URL RFC it was using, however parse_url seems to be using RFC3986, making the following code to behave unexpectedly. 

if (filter_var($url,FILTER_VALIDATE_URL)) {
    $parts = parse_url($url);
} 

Note: I am only assuming that parse_url uses RFC 3986 because there's a link to it in the "see also" links of http://php.net/manual/en/function.parse-url.php
 [2016-12-22 02:22 UTC] ihipop+php at gmail dot com
I think a new flag should be add to obey the RFC3986,and compatible with the old behavior
 [2016-12-22 10:18 UTC] yohgaki@php.net
-Operating System: OpenBSD +Operating System: irrelevant
 [2016-12-22 10:18 UTC] yohgaki@php.net
FYI. "//example.com/" is supported by parse_url() and URL rewriter by default.

https://3v4l.org/uN3I3

There is re2c URL parser. I suppose it's not merged yet. It may be better to use new URL parser and be consistent. Current URL rewriter uses the same internal function as parse_url(), so it will use re2c URL parser when it is merged.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Wed Aug 21 15:01:27 2019 UTC