ID: 16337 Updated by: [EMAIL PROTECTED] -Summary: include() does not decode % correctly Reported By: [EMAIL PROTECTED] Status: Open Bug Type: HTTP related Operating System: Unix based PHP Version: 4.1.0 New Comment:
in case anyone wondered, the HTTP spec I am refering to, is at: http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc2068.html (Section 11.1) Since RFC 2616 doesn't specify user-pass strings, I assume this older RFC still applies. Previous Comments: ------------------------------------------------------------------------ [2002-04-10 19:57:48] [EMAIL PROTECTED] Correction: PHP's fopen url wrapper doesn't appear to unencode ANY encodings at all. Since the HTTP spec only excludes ':' from the username (and nothing at all from the password), this bug makes many username:password pairs unusable. ------------------------------------------------------------------------ [2002-03-28 18:12:28] [EMAIL PROTECTED] When include() is called with the following syntax: include("http://username:[EMAIL PROTECTED]/";); It is the duty of the include call to tokenize the username and password, and to urldecode each of them. Why? Because things would break if a username contained 'www.example.com/?var=' or say a password contained an @. So, it is the duty of the caller to urlencode these tokens, and the duty of include (or a sub function) to unencode it after parsing. However, it has been observed in PHP 4.1.x that '%' characters (or their equivalent '%25') are not decoded properly. Prior use of this feature leads us to believe the 4.0.x series of PHP does not have this problem. We run websites with hundreds of users. We would appreciate a quick response, because we would rather not force all users with '%'s in their passwords to change them. Thank you. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=16337&edit=1
