#34202 closed defect (bug) (fixed)
esc_url() cannot handle IPv6 literal URLs in PHP < 5.4.7
Reported by: | johnbillion | Owned by: | dd32 |
---|---|---|---|
Milestone: | 4.4 | Priority: | low |
Severity: | normal | Version: | 3.1 |
Component: | Formatting | Keywords: | needs-patch has-unit-tests |
Focuses: | Cc: |
Description (last modified by )
In PHP < 5.4.7, parse_url()
cannot handle IPv6 literal URLs such as //[::FFFF::127.0.0.1]/
. This means esc_url()
cannot correctly handle such URLs because it relies on parse_url()
to separate the domain/port from the path/query in order to determine whether to encode square brackets or not.
Prior to [34920], esc_url()
blindly stripped all square brackets and didn't use parse_url()
.
Attachments (1)
Change History (13)
#3
follow-up:
↓ 4
@
9 years ago
esc_url
also breaks when an IPv6 address is used in a query arg, e.g. http://example.org/?s=2001:0db8:0000:0000:0000:ff00:0042:8329
. It just returns an empty string in that case.
See #34054
#4
in reply to:
↑ 3
;
follow-up:
↓ 5
@
9 years ago
Replying to swissspidy:
esc_url
also breaks when an IPv6 address is used in a query arg, e.g.http://example.org/?s=2001:0db8:0000:0000:0000:ff00:0042:8329
. It just returns an empty string in that case.
I can't duplicate that under Trunk, does this also require the specific version of PHP?
#5
in reply to:
↑ 4
@
9 years ago
Replying to dd32:
Replying to swissspidy:
esc_url
also breaks when an IPv6 address is used in a query arg, e.g.http://example.org/?s=2001:0db8:0000:0000:0000:ff00:0042:8329
. It just returns an empty string in that case.
I can't duplicate that under Trunk, does this also require the specific version of PHP?
Just noticed that this happens when using a relative URL like edit-comments.php?s=2001:0db8:0000:0000:0000:ff00:0042:8329
. In that case esc_url()
returns an empty string. Not for edit-comments.php?s=192.168.50.1
however. That works as expected.
#6
follow-up:
↓ 7
@
9 years ago
I suspect the above issue is caused by the relative URL handling in esc_url()
which looks for the presence of a colon to determine whether it's a relative URL or not. That can go in its own ticket.
#7
in reply to:
↑ 6
@
9 years ago
Replying to johnbillion:
I suspect the above issue is caused by the relative URL handling in
esc_url()
which looks for the presence of a colon to determine whether it's a relative URL or not. That can go in its own ticket.
Split off to #34407
#9
@
9 years ago
- Description modified (diff)
Small clarification to the original description - parse_url()
cannot handle schemeless IPv6 URLs prior to PHP 5.4.7, http://[...]/
is fine, //[...]/
isn't.
34202.tests.diff adds tests from #16859 to demonstrate the problem.