php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #81745 parse_url return wrong host if
Submitted: 2023-01-16 14:31 UTC Modified: 2023-01-19 12:49 UTC
From: bengit at protonmail dot com Assigned: cmb (profile)
Status: Duplicate Package: *URL Functions
PHP Version: 8.2.1 OS: UNIX/Windows
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2023-01-16 14:31 UTC] bengit at protonmail dot com 
Description:
------------
The function parse_url wrongly handle backslash "\" in URL username.

If you try to call parse_url on URL with a value like: 
"//example.com\@google.com"

"host" value will be "google.com" and username "example.com\" 
Whereas browser (Chrome/Firefox at least) will consider "example.com" as the domain and "@google.com as the path

Tested as a HTML link href and has a HTTP "Header location", on both case, the browser considere the domain as "example.com"

This works with all scheme http,https and //

The RFC 3986 do not deals how to exactly handle backslash value.
But we can assume that handling URL like major browser should be the way to do.
They seems to replace backslash by slash.

This is a security concern because parse_url is used to validate URL and a value injection could lead in wrong host detection.

This vulnerability is already actively used - I found some attempts into my server logs.

Can reproduce the issue on 7.4.3 (Unix) / 8.1.2 (Windows) / 8.2.1 (MacOS) 


Test script:
---------------
<?php

$url = '//example.com\@google.com';

var_dump($url);

// Here the domain displayed is "google.com"
var_dump(parse_url($url));

// Click and you will be redirected to "example.com"
?><a href="<?= $url; ?>" target="_blank">Test URL in a browser</a>

Expected result:
----------------
Parsing should return false or example.com in the domain and "@google.com" as a path

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2023-01-16 14:54 UTC] bengit at protonmail dot com
-: bengit at proton dot me +: bengit at protonmail dot com
 [2023-01-16 14:54 UTC] bengit at protonmail dot com 
Just update my email
 [2023-01-19 12:49 UTC] cmb@php.net
-Status: Open +Status: Duplicate -Type: Security +Type: Bug -Assigned To: +Assigned To: cmb
 [2023-01-19 12:49 UTC] cmb@php.net 
> This is a security concern because parse_url is used to validate
> URL

Right.  This is exactly the problem; from the docs[1]:

| This function is not meant to validate the given URL, […]

and particularly:

| This function may not give correct results for relative or
| invalid URLs, and the results may not even match common behavior
| of HTTP clients. If URLs from untrusted input need to be parsed,
| extra validation is required, e.g. by using filter_var() with the
| FILTER_VALIDATE_URL filter.

However, filter_var($url) returns false, so PHP regards this URL
as invalid, and your application should reject it.

That said, parse_url() leaves a lot to be desired, but it is
almost impossible to change its behavior, because some code relies
on arbitrary observable behavior of that function (I fixed a
respective issue a while ago, but that had to be reverted due to
user relying on the broken behavior).

And although the issue is somewhat different I'm closing this as
duplicate of <https://github.com/php/php-src/issues/7890>.

[1] <https://www.php.net/parse_url>
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 26 10:01:31 2024 UTC