ID: 33805 Updated by: [EMAIL PROTECTED] Reported By: phpbugs at pureftpd dot org -Status: Open +Status: Bogus Bug Type: SimpleXML related Operating System: Any PHP Version: 5.0.4 New Comment:
Please do not submit the same bug more than once. An existing bug report already describes this very problem. Even if you feel that your issue is somewhat different, the resolution is likely to be the same. Thank you for your interest in PHP. Previous Comments: ------------------------------------------------------------------------ [2005-07-21 14:38:24] phpbugs at pureftpd dot org Description: ------------ simplexml_load_file() decodes the argument that is supposed to be a file name. It can be a security flaw. I was able to bypass the Overture adult filter of the search engine of a http://skyblog.com by abusing this. Reproduce code: --------------- simplexml_load_file('http://example.com/a=' . urlencode('b&c')); It loads http://example.com/a=b&c (which means that the value of 'a' is 'b' not 'b&c' as intended by the urlencode() call). simplexml_load_file(rawurlencode('http://example.com/a=' . urlencode('b&c'))); Does the expected behavior and fetches the correct URL. Expected result: ---------------- Either fix the documentation (the argument is not a file name, but a rawurlencoded one), or the function to behave like fopen (), file_get_contents() and other similar functions. Actual result: -------------- URLs are decoded. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=33805&edit=1
