|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #73975 parse_url does not decode % escaping of username
Submitted: 2017-01-23 02:38 UTC Modified: 2017-09-12 11:00 UTC
Avg. Score:4.0 ± 0.0
Reproduced:0 of 1 (0.0%)
From: trejkaz at trypticon dot org Assigned: cmb (profile)
Status: Closed Package: URL related
PHP Version: 5.6.30 OS: macOS
Private report: No CVE-ID: None
 [2017-01-23 02:38 UTC] trejkaz at trypticon dot org
The userinfo part of a URL can contain %-encoding for characters which otherwise would confuse a URL parser.

Thus if your username or password contains, for instance, a @, you would be entering %40 into the URL instead.

PHP's parse_url function does not perform decode this encoding, but returns the 'user' and 'pass' values with it as it was in the original URL.

Alternatively, if the intent is that this function keeps the encoding in the values, this should be clearly stated in the documentation. It turns out that Drupal is calling this function, seemingly assuming that it is being completely decoded.

Test script:

Expected result:
array(4) {
  string(5) "https"
  string(11) ""
  string(9) "user@name"
  string(9) "pass@word"

Actual result:
array(4) {
  string(5) "https"
  string(11) ""
  string(11) "user%40name"
  string(11) "pass%40word"


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2017-01-23 11:35 UTC]
-Status: Open +Status: Verified
 [2017-01-23 11:35 UTC]
Confirmed: <>.
 [2017-01-23 11:44 UTC]
It does not look like any component of the URL is url-decoded by parse_url(). While I personally think that parse_url() *ought* to be doing this, changing it at this point would be counter-productive, as client code would have to conditionally decode the result (rather than always decode it), leading to more brittle code.
 [2017-09-12 10:49 UTC]
-Type: Bug +Type: Documentation Problem -Assigned To: +Assigned To: cmb
 [2017-09-12 10:49 UTC]
> It does not look like any component of the URL is url-decoded by
> parse_url().

Indeed.  Changing to doc bug.
 [2017-09-12 10:58 UTC]
Automatic comment from SVN on behalf of cmb
Log: Fixed bug #73975 (parse_url does not decode % escaping of username)
 [2017-09-12 11:00 UTC]
-Status: Verified +Status: Closed
 [2017-09-12 11:00 UTC]
This bug has been fixed in the documentation's XML sources. Since the
online and downloadable versions of the documentation need some time
to get updated, we would like to ask you to be a bit patient.

Thank you for the report, and for helping us make our documentation better.
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC