ID: 33804 Updated by: [EMAIL PROTECTED] Reported By: phpbugs at pureftpd dot org -Status: Open +Status: Closed Bug Type: Documentation problem Operating System: Any PHP Version: 5.0.4 New Comment:
This bug has been fixed in the documentation's XML sources. Since the online and downloadable versions of the documentation need some time to get updated, we would like to ask you to be a bit patient. Thank you for the report, and for helping us make our documentation better. "Libxml 2 unescapes the URI, so if you want to pass e.g. b&c as the URI parameter a, you have to call simplexml_load_file(rawurlencode('http://example.com/?a=' . urlencode('b&c')))." Previous Comments: ------------------------------------------------------------------------ [2005-07-21 14:50:34] [EMAIL PROTECTED] libxml2 unescapes the URI, so this should be documented. ------------------------------------------------------------------------ [2005-07-21 14:38:15] phpbugs at pureftpd dot org Description: ------------ simplexml_load_file() decodes the argument that is supposed to be a file name. It can be a security flaw. I was able to bypass the Overture adult filter of the search engine of a http://skyblog.com by abusing this. Reproduce code: --------------- simplexml_load_file('http://example.com/a=' . urlencode('b&c')); It loads http://example.com/a=b&c (which means that the value of 'a' is 'b' not 'b&c' as intended by the urlencode() call). simplexml_load_file(rawurlencode('http://example.com/a=' . urlencode('b&c'))); Does the expected behavior and fetches the correct URL. Expected result: ---------------- Either fix the documentation (the argument is not a file name, but a rawurlencoded one), or the function to behave like fopen (), file_get_contents() and other similar functions. Actual result: -------------- URLs are decoded. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=33804&edit=1