From: phpbugs at pureftpd dot org Operating system: Any PHP version: 5.0.4 PHP Bug Type: SimpleXML related Bug description: simplexml_load_file() decodes the file name
Description: ------------ simplexml_load_file() decodes the argument that is supposed to be a file name. It can be a security flaw. I was able to bypass the Overture adult filter of the search engine of a http://skyblog.com by abusing this. Reproduce code: --------------- simplexml_load_file('http://example.com/a=' . urlencode('b&c')); It loads http://example.com/a=b&c (which means that the value of 'a' is 'b' not 'b&c' as intended by the urlencode() call). simplexml_load_file(rawurlencode('http://example.com/a=' . urlencode('b&c'))); Does the expected behavior and fetches the correct URL. Expected result: ---------------- Either fix the documentation (the argument is not a file name, but a rawurlencoded one), or the function to behave like fopen (), file_get_contents() and other similar functions. Actual result: -------------- URLs are decoded. -- Edit bug report at http://bugs.php.net/?id=33804&edit=1 -- Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=33804&r=trysnapshot4 Try a CVS snapshot (php5.0): http://bugs.php.net/fix.php?id=33804&r=trysnapshot50 Try a CVS snapshot (php5.1): http://bugs.php.net/fix.php?id=33804&r=trysnapshot51 Fixed in CVS: http://bugs.php.net/fix.php?id=33804&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=33804&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=33804&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=33804&r=needscript Try newer version: http://bugs.php.net/fix.php?id=33804&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=33804&r=support Expected behavior: http://bugs.php.net/fix.php?id=33804&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=33804&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=33804&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=33804&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=33804&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=33804&r=dst IIS Stability: http://bugs.php.net/fix.php?id=33804&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=33804&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=33804&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=33804&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=33804&r=mysqlcfg
