php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #75356 parse_url filtering does not match CURL filtering
Submitted: 2017-10-10 18:38 UTC Modified: 2017-10-10 21:05 UTC
From: mattshockl at gmail dot com Assigned:
Status: Not a bug Package: URL related
PHP Version: 7.1.10 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: mattshockl at gmail dot com
New email:
PHP Version: OS:

 

 [2017-10-10 18:38 UTC] mattshockl at gmail dot com 
Description:
------------
Similarly to https://bugs.php.net/bug.php?id=73192, parse_url parsing mismatches the parsing of the curl module.  By crafting a special url like "badwebsite.com:/secrets.php", parse_url will parse and return "badwebsite.com" as the schema, while curl will execute with "badwebsite.com" as the hostname.  For sites filtering on parse_url hostname, this could be seen as a security issue/bypass.  See the test script for an example. 

Test script:
---------------
$blacklist = array("google.com", "badwebsite.com");

$url = $_GET['url']; /* url=badwebsite.com:/secrets.php */
$parsed = parse_url($url);

if (isset($parsed['host']) && in_array($parsed['host'], $blacklist))
{
    echo "bad hacker";
    exit();
}

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_COOKIE, "nuke_launch_codes=31-133-37");
curl_exec($ch);
curl_close($ch);


Expected result:
----------------
With url=badwebsite.com:/secrets.php, the expected result should be "bad hacker."

Actual result:
--------------
With url=badwebsite.com:/secrets.php, the actual result is the HTML of badwebsite.com/secrets.php

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-10-10 21:05 UTC] requinix@php.net
-Status: Open +Status: Not a bug -Package: Filter related +Package: URL related
 [2017-10-10 21:05 UTC] requinix@php.net 
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

http://php.net/manual/en/function.parse-url.php
> This function is not meant to validate the given URL

http://php.net/manual/en/function.filter-var.php
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 19 11:01:28 2024 UTC