|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #81604 Parse_url wrong hostname detection
Submitted: 2021-11-09 13:29 UTC Modified: 2021-11-09 16:07 UTC
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: noahcore95 at gmail dot com Assigned:
Status: Closed Package: *URL Functions
PHP Version: 7.4.25 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: noahcore95 at gmail dot com
New email:
PHP Version: OS:


 [2021-11-09 13:29 UTC] noahcore95 at gmail dot com
Parse_url usage may lead to open redirect vulnerability. Firefox and Chrome opens instead of

Test script:

$x= '\';

Expected result:
    [scheme] => https
    [host] =>
    [user] => 
    [pass] => ?

Actual result:
    [scheme] => https
    [host] =>
    [user] => 
    [pass] =>\


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2021-11-09 16:07 UTC]
-Type: Bug +Type: Documentation Problem
 [2021-11-09 16:07 UTC]
This is an invalid URI, since the host must not be empty[1].
According to the documentation[2]:

| Partial and invalid URLs are also accepted, parse_url() tries
| its best to parse them correctly.

There is no claim that this best effort matches common browser
behavior.  However, the documentation should be improved to make it
clear that at least untrusted input should be checked with
FILTER_VALIDATE_URL, which reports this URI as invalid[3] due to
the fix for bug #81122.

[1] <>
[2] <>
[3] <>
 [2021-11-11 12:01 UTC]
Automatic comment on behalf of cmb69
Log: Fix #81604: Parse_url wrong hostname detection
 [2021-11-11 12:01 UTC]
-Status: Open +Status: Closed
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Thu Sep 28 19:01:25 2023 UTC