php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #73975 parse_url does not decode % escaping of username
Submitted: 2017-01-23 02:38 UTC Modified: 2017-09-12 11:00 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:0 of 1 (0.0%)
From: trejkaz at trypticon dot org Assigned: cmb
Status: Closed Package: URL related
PHP Version: 5.6.30 OS: macOS
Private report: No CVE-ID:
 [2017-01-23 02:38 UTC] trejkaz at trypticon dot org
Description:
------------
The userinfo part of a URL can contain %-encoding for characters which otherwise would confuse a URL parser.

Thus if your username or password contains, for instance, a @, you would be entering %40 into the URL instead.

PHP's parse_url function does not perform decode this encoding, but returns the 'user' and 'pass' values with it as it was in the original URL.

Alternatively, if the intent is that this function keeps the encoding in the values, this should be clearly stated in the documentation. It turns out that Drupal is calling this function, seemingly assuming that it is being completely decoded.


Test script:
---------------
<?
var_dump(parse_url('https://user%40name:pass%40word@example.com'));
?>


Expected result:
----------------
array(4) {
  ["scheme"]=>
  string(5) "https"
  ["host"]=>
  string(11) "example.com"
  ["user"]=>
  string(9) "user@name"
  ["pass"]=>
  string(9) "pass@word"
}


Actual result:
--------------
array(4) {
  ["scheme"]=>
  string(5) "https"
  ["host"]=>
  string(11) "example.com"
  ["user"]=>
  string(11) "user%40name"
  ["pass"]=>
  string(11) "pass%40word"
}


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-01-23 11:35 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2017-01-23 11:35 UTC] cmb@php.net
Confirmed: <https://3v4l.org/W8DWh>.
 [2017-01-23 11:44 UTC] nikic@php.net
It does not look like any component of the URL is url-decoded by parse_url(). While I personally think that parse_url() *ought* to be doing this, changing it at this point would be counter-productive, as client code would have to conditionally decode the result (rather than always decode it), leading to more brittle code.
 [2017-09-12 10:49 UTC] cmb@php.net
-Type: Bug +Type: Documentation Problem -Assigned To: +Assigned To: cmb
 [2017-09-12 10:49 UTC] cmb@php.net
> It does not look like any component of the URL is url-decoded by
> parse_url().

Indeed.  Changing to doc bug.
 [2017-09-12 10:58 UTC] cmb@php.net
Automatic comment from SVN on behalf of cmb
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=343075
Log: Fixed bug #73975 (parse_url does not decode % escaping of username)
 [2017-09-12 11:00 UTC] cmb@php.net
-Status: Verified +Status: Closed
 [2017-09-12 11:00 UTC] cmb@php.net
This bug has been fixed in the documentation's XML sources. Since the
online and downloadable versions of the documentation need some time
to get updated, we would like to ask you to be a bit patient.

Thank you for the report, and for helping us make our documentation better.
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC