php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77331 FILTER_VALIDATE_DOMAIN fail on example.org/wat
Submitted: 2018-12-20 22:22 UTC Modified: 2018-12-20 23:29 UTC
Votes:7
Avg. Score:3.1 ± 1.6
Reproduced:5 of 5 (100.0%)
Same Version:4 (80.0%)
Same OS:3 (60.0%)
From: divinity76 at gmail dot com Assigned:
Status: Verified Package: Unknown/Other Function
PHP Version: 7.2 OS: Win7 x64 & Ubuntu 18.04
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2018-12-20 22:22 UTC] divinity76 at gmail dot com
Description:
------------
FILTER_VALIDATE_DOMAIN fail to realize that "example.org/wat" is not a domain (URL? guess you can say that. domain? don't think so.) - interestingly, FILTER_VALIDATE_DOMAIN works fine if FILTER_FLAG_HOSTNAME is provided, the bug is only present when FILTER_FLAG_HOSTNAME is not provided.

Test script:
---------------
<?php

var_dump(
    filter_var('example.org/wat',FILTER_VALIDATE_DOMAIN),
    filter_var('example.org/wat',FILTER_VALIDATE_DOMAIN,FILTER_FLAG_HOSTNAME)
    );


Expected result:
----------------
bool(false)
bool(false)

Actual result:
--------------
string(15) "example.org/wat"
bool(false)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-12-20 23:28 UTC] cmb@php.net
-Status: Open +Status: Verified -PHP Version: 7.3.0 +PHP Version: 7.2
 [2018-12-20 23:29 UTC] cmb@php.net
See <https://3v4l.org/QRW3K>.
 [2018-12-22 03:36 UTC] a at b dot c dot de
FILTER_VALIDATE_DOMAIN is only looking at the lengths of the domain string and those of the bits between '.' characters (this is documented but doesn't seem hugely useful).

var_dump(
 filter_var('***.****',FILTER_VALIDATE_DOMAIN),
 filter_var('!',FILTER_VALIDATE_DOMAIN),
 filter_var('*******',FILTER_VALIDATE_DOMAIN),
 filter_var(str_repeat('*', 63),FILTER_VALIDATE_DOMAIN),
 filter_var(str_repeat('*', 64),FILTER_VALIDATE_DOMAIN) // Too long
);

Meanwhile, FILTER_FLAG_HOSTNAME rejects domains with legal hyphens:

var_dump(
 // A hyphen with a well-known story behind it
 filter_var('experts-exchange.com',
            FILTER_VALIDATE_DOMAIN | FILTER_FLAG_HOSTNAME),
 // Punycode (Greek test TLD)
 filter_var('xn--jxalpdlp',
            FILTER_VALIDATE_DOMAIN | FILTER_FLAG_HOSTNAME)
);
 [2018-12-22 09:09 UTC] divinity76 at gmail dot com
@ a at b dot c dot de , 

this is not a comment on the validity of your claim, but you are using filter_var wrong, FILTER_FLAG_HOSTNAME goes as the third parameter, it is not supposed to be bitwise-or'ed into the 2nd parameter. (filter_var is weird, check the docs)
 [2018-12-22 14:22 UTC] php at bitm dot sg
I want to add here that a whitespace and empty string should probably pass in the future. Empty string refers to the DNS Root: https://en.wikipedia.org/wiki/Fully_qualified_domain_name#Syntax
 [2019-01-24 19:21 UTC] divinity76 at gmail dot com
@ a at b dot c dot de

quote > Meanwhile, FILTER_FLAG_HOSTNAME rejects domains with legal hyphens:

- actually, when filter_var is user properly, it allows those domains (FILTER_FLAG_HOSTNAME goes as the third argument, don't xor it into the 2nd argument)

var_dump(
 // A hyphen with a well-known story behind it
 filter_var('experts-exchange.com',
            FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME),
 // Punycode (Greek test TLD)
 filter_var('xn--jxalpdlp',
            FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME)
);



returns bool(true) bool(true)
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Tue Jun 25 15:01:24 2019 UTC