php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #81604 Parse_url wrong hostname detection
Submitted: 2021-11-09 13:29 UTC Modified: 2021-11-09 16:07 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: noahcore95 at gmail dot com Assigned:
Status: Closed Package: *URL Functions
PHP Version: 7.4.25 OS: Linux
Private report: No CVE-ID: None
 [2021-11-09 13:29 UTC] noahcore95 at gmail dot com
Description:
------------
Parse_url usage may lead to open redirect vulnerability. Firefox and Chrome opens google.com instead of php.net.

Test script:
---------------
<?php

$x= 'https://:@google.com\@php.net';
print_r(parse_url($x));



Expected result:
----------------
Array
(
    [scheme] => https
    [host] => google.com
    [user] => 
    [pass] => ?
)

Actual result:
--------------
Array
(
    [scheme] => https
    [host] => php.net
    [user] => 
    [pass] => @google.com\
)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-11-09 16:07 UTC] cmb@php.net
-Type: Bug +Type: Documentation Problem
 [2021-11-09 16:07 UTC] cmb@php.net
This is an invalid URI, since the host must not be empty[1].
According to the documentation[2]:

| Partial and invalid URLs are also accepted, parse_url() tries
| its best to parse them correctly.

There is no claim that this best effort matches common browser
behavior.  However, the documentation should be improved to make it
clear that at least untrusted input should be checked with
FILTER_VALIDATE_URL, which reports this URI as invalid[3] due to
the fix for bug #81122.

[1] <https://datatracker.ietf.org/doc/html/rfc3986#appendix-A>
[2] <https://www.php.net/parse_url>
[3] <https://3v4l.org/6ed54>
 [2021-11-11 12:01 UTC] git@php.net
Automatic comment on behalf of cmb69
Revision: https://github.com/php/doc-en/commit/57f4d8e58f5a0e95cf3c0ee1a14fbc30cb4114d7
Log: Fix #81604: Parse_url wrong hostname detection
 [2021-11-11 12:01 UTC] git@php.net
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Mon Aug 08 17:05:45 2022 UTC