|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75356 parse_url filtering does not match CURL filtering
Submitted: 2017-10-10 18:38 UTC Modified: 2017-10-10 21:05 UTC
From: mattshockl at gmail dot com Assigned:
Status: Not a bug Package: URL related
PHP Version: 7.1.10 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
41 + 26 = ?
Subscribe to this entry?

 [2017-10-10 18:38 UTC] mattshockl at gmail dot com
Similarly to, parse_url parsing mismatches the parsing of the curl module.  By crafting a special url like "", parse_url will parse and return "" as the schema, while curl will execute with "" as the hostname.  For sites filtering on parse_url hostname, this could be seen as a security issue/bypass.  See the test script for an example. 

Test script:
$blacklist = array("", "");

$url = $_GET['url']; /* */
$parsed = parse_url($url);

if (isset($parsed['host']) && in_array($parsed['host'], $blacklist))
    echo "bad hacker";

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_COOKIE, "nuke_launch_codes=31-133-37");

Expected result:
With, the expected result should be "bad hacker."

Actual result:
With, the actual result is the HTML of


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2017-10-10 21:05 UTC]
-Status: Open +Status: Not a bug -Package: Filter related +Package: URL related
 [2017-10-10 21:05 UTC]
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at and the instructions on how to report
a bug at
> This function is not meant to validate the given URL
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Jun 17 03:01:28 2024 UTC