ID: 33804 Updated by: [EMAIL PROTECTED] Reported By: phpbugs at pureftpd dot org Status: Open -Bug Type: SimpleXML related +Bug Type: Documentation problem Operating System: Any PHP Version: 5.0.4 New Comment:
libxml2 unescapes the URI, so this should be documented. Previous Comments: ------------------------------------------------------------------------ [2005-07-21 14:38:15] phpbugs at pureftpd dot org Description: ------------ simplexml_load_file() decodes the argument that is supposed to be a file name. It can be a security flaw. I was able to bypass the Overture adult filter of the search engine of a http://skyblog.com by abusing this. Reproduce code: --------------- simplexml_load_file('http://example.com/a=' . urlencode('b&c')); It loads http://example.com/a=b&c (which means that the value of 'a' is 'b' not 'b&c' as intended by the urlencode() call). simplexml_load_file(rawurlencode('http://example.com/a=' . urlencode('b&c'))); Does the expected behavior and fetches the correct URL. Expected result: ---------------- Either fix the documentation (the argument is not a file name, but a rawurlencoded one), or the function to behave like fopen (), file_get_contents() and other similar functions. Actual result: -------------- URLs are decoded. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=33804&edit=1
