php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #73500 parse_url behaviour changed between 7.0.12 and 7.0.13 when pw begins with #
Submitted: 2016-11-11 15:08 UTC Modified: 2016-11-13 16:07 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:1 (50.0%)
From: max at substrakt dot com Assigned:
Status: Wont fix Package: URL related
PHP Version: 7.0.13 OS: Ubuntu Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: max at substrakt dot com
New email:
PHP Version: OS:

 

 [2016-11-11 15:08 UTC] max at substrakt dot com 
Description:
------------
When running the following code on PHP 7.0.12 and 7.0.13, a different result is returned.

In the later version, the user and pass attributes are missing. This _only_ occurs when the first character of the password is # (hash/pound). Strong passwords can often include the # symbol so this is unexpected behaviour.

I've not raised a bug in PHP before, please let me know if you need further information to resolve this!

Test script:
---------------
<?php
    $url = "mysql://user:#fhdsjfghjdf@host.eu-west-1.rds.amazonaws.com:3306/database_name";
    var_dump(parse_url($url));


Expected result:
----------------
array(6) {
  ["scheme"]=>
  string(5) "mysql"
  ["host"]=>
  string(32) "host.eu-west-1.rds.amazonaws.com"
  ["port"]=>
  int(3306)
  ["user"]=>
  string(4) "user"
  ["pass"]=>
  string(12) "#fhdsjfghjdf"
  ["path"]=>
  string(14) "/database_name"
}

Actual result:
--------------
array(3) {
  ["scheme"]=>
  string(5) "mysql"
  ["host"]=>
  string(4) "user"
  ["fragment"]=>
  string(63) "fhdsjfghjdf@host.eu-west-1.rds.amazonaws.com:3306/database_name"
}

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-11-11 15:22 UTC] nikic@php.net 
Just like for other parts of a URI, it is necessary to URL-encode passwords (for example, using the urlencode() function). The "#" in your password should be "%23" instead.

As bug #73192, which resulted in this change, is classified as a security bug, I don't think we'll take further action here.
 [2016-11-13 16:07 UTC] ab@php.net
-Status: Open +Status: Wont fix
 [2016-11-23 20:38 UTC] requinix@php.net 
Related To: Bug #73595
 [2016-12-02 01:54 UTC] requinix@php.net 
Related To: Bug #73639
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Tue Apr 16 23:01:30 2024 UTC