Opened 10 years ago
Closed 9 years ago
#28015 closed defect (bug) (fixed)
esc_url_raw (esc_url) throw "Uninitialized string offset: 0" with invalid chars
Reported by: | mmems | Owned by: | johnbillion |
---|---|---|---|
Milestone: | 4.4 | Priority: | normal |
Severity: | normal | Version: | 3.3 |
Component: | Formatting | Keywords: | has-patch commit |
Focuses: | Cc: |
Description
esc_url_raw('"^[]<>{}`');
Will throw "Uninitialized string offset: 0" because the length of resulting string (after filtering all invalid chars) is not tested before check if it's a relative URL
if ( strpos($url, ':') === false && ! in_array( $url[0], array( '/', '#', '?' ) ) ... -----------------------------------------------------^
Attachments (5)
Change History (13)
#1
@
10 years ago
- Version changed from 3.9 to 3.3
The second patch is cleaner and does the same thing without adding additional conditions like empty()
.
The substr()
function was used before 3.2. Please check if the patch works for all kinds of input.
#2
@
10 years ago
The error disappear now, but:
esc_url_raw('"^[]<>{}`'); // now returns: "http://"
Maybe the emptiness test should be after chars filtering :
$url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%@$\|*\'()\\x80-\\xff]|i', '', $url); $strip = array('%0d', '%0a', '%0D', '%0A'); $url = _deep_replace($strip, $url); $url = str_replace(';//', '://', $url); if ( '' == $url ) return $url;
Instead of:
if ( '' == $url ) return $url; $url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%@$\|*\'()\\x80-\\xff]|i', '', $url); $strip = array('%0d', '%0a', '%0D', '%0A'); $url = _deep_replace($strip, $url); $url = str_replace(';//', '://', $url);
#6
@
9 years ago
- Keywords needs-unit-tests needs-patch added; has-patch removed
- Milestone changed from Awaiting Review to 4.4
- Owner set to johnbillion
- Status changed from new to accepted
#7
@
9 years ago
- Keywords has-patch commit added; needs-unit-tests needs-patch removed
In 28015.5.diff: If a URL is so malformed that it contains only characters which get stripped out, then the function should bail out early, as it does for an empty URL.
Note: See
TracTickets for help on using
tickets.
Check if
$url
is empty after sanitization before checking its first character