php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Doc Bug #81604 Parse_url wrong hostname detection
Submitted: 2021-11-09 13:29 UTC Modified: 2021-11-09 16:07 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: noahcore95 at gmail dot com Assigned:
Status: Closed Package: *URL Functions
PHP Version: 7.4.25 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: noahcore95 at gmail dot com
New email:
PHP Version: OS:

 

 [2021-11-09 13:29 UTC] noahcore95 at gmail dot com 
Description:
------------
Parse_url usage may lead to open redirect vulnerability. Firefox and Chrome opens google.com instead of php.net.

Test script:
---------------
<?php

$x= 'https://:@google.com\@php.net';
print_r(parse_url($x));



Expected result:
----------------
Array
(
    [scheme] => https
    [host] => google.com
    [user] => 
    [pass] => ?
)

Actual result:
--------------
Array
(
    [scheme] => https
    [host] => php.net
    [user] => 
    [pass] => @google.com\
)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-11-09 16:07 UTC] cmb@php.net
-Type: Bug +Type: Documentation Problem
 [2021-11-09 16:07 UTC] cmb@php.net 
This is an invalid URI, since the host must not be empty[1].
According to the documentation[2]:

| Partial and invalid URLs are also accepted, parse_url() tries
| its best to parse them correctly.

There is no claim that this best effort matches common browser
behavior.  However, the documentation should be improved to make it
clear that at least untrusted input should be checked with
FILTER_VALIDATE_URL, which reports this URI as invalid[3] due to
the fix for bug #81122.

[1] <https://datatracker.ietf.org/doc/html/rfc3986#appendix-A>
[2] <https://www.php.net/parse_url>
[3] <https://3v4l.org/6ed54>
 [2021-11-11 12:01 UTC] git@php.net 
Automatic comment on behalf of cmb69
Revision: https://github.com/php/doc-en/commit/57f4d8e58f5a0e95cf3c0ee1a14fbc30cb4114d7
Log: Fix #81604: Parse_url wrong hostname detection
 [2021-11-11 12:01 UTC] git@php.net
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 26 00:01:30 2024 UTC