|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75356 parse_url filtering does not match CURL filtering
Submitted: 2017-10-10 18:38 UTC Modified: 2017-10-10 21:05 UTC
From: mattshockl at gmail dot com Assigned:
Status: Not a bug Package: URL related
PHP Version: 7.1.10 OS: Linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: mattshockl at gmail dot com
New email:
PHP Version: OS:


 [2017-10-10 18:38 UTC] mattshockl at gmail dot com
Similarly to, parse_url parsing mismatches the parsing of the curl module.  By crafting a special url like "", parse_url will parse and return "" as the schema, while curl will execute with "" as the hostname.  For sites filtering on parse_url hostname, this could be seen as a security issue/bypass.  See the test script for an example. 

Test script:
$blacklist = array("", "");

$url = $_GET['url']; /* */
$parsed = parse_url($url);

if (isset($parsed['host']) && in_array($parsed['host'], $blacklist))
    echo "bad hacker";

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_COOKIE, "nuke_launch_codes=31-133-37");

Expected result:
With, the expected result should be "bad hacker."

Actual result:
With, the actual result is the HTML of


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2017-10-10 21:05 UTC]
-Status: Open +Status: Not a bug -Package: Filter related +Package: URL related
 [2017-10-10 21:05 UTC]
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at and the instructions on how to report
a bug at
> This function is not meant to validate the given URL
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Jun 19 04:01:31 2024 UTC