ID:               33804
 Updated by:       [EMAIL PROTECTED]
 Reported By:      phpbugs at pureftpd dot org
-Status:           Open
+Status:           Closed
 Bug Type:         Documentation problem
 Operating System: Any
 PHP Version:      5.0.4
 New Comment:

This bug has been fixed in the documentation's XML sources. Since the
online and downloadable versions of the documentation need some time
to get updated, we would like to ask you to be a bit patient.

Thank you for the report, and for helping us make our documentation
better.

"Libxml 2 unescapes the URI, so if you want to pass e.g. b&c as the URI
parameter a, you have to call
simplexml_load_file(rawurlencode('http://example.com/?a=' .
urlencode('b&c')))."


Previous Comments:
------------------------------------------------------------------------

[2005-07-21 14:50:34] [EMAIL PROTECTED]

libxml2 unescapes the URI, so this should be documented.

------------------------------------------------------------------------

[2005-07-21 14:38:15] phpbugs at pureftpd dot org

Description:
------------
simplexml_load_file() decodes the argument that is supposed to 
be a file name.

It can be a security flaw. I was able to bypass the Overture 
adult filter of the search engine of a http://skyblog.com by 
abusing this.

Reproduce code:
---------------
simplexml_load_file('http://example.com/a=' . urlencode('b&c'));

It loads http://example.com/a=b&c (which means that the value of 'a' is
'b' not 'b&c' as intended by the urlencode() call).

simplexml_load_file(rawurlencode('http://example.com/a=' .
urlencode('b&c')));

Does the expected behavior and fetches the correct URL.

Expected result:
----------------
Either fix the documentation (the argument is not a file name, 
but a rawurlencoded one), or the function to behave like fopen
(), file_get_contents() and other similar functions.

Actual result:
--------------
URLs are decoded.


------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=33804&edit=1

Reply via email to