WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#34202 closed defect (bug) (fixed)

esc_url() cannot handle IPv6 literal URLs in PHP < 5.4.7

Reported by: johnbillion Owned by: dd32
Milestone: 4.4 Priority: low
Severity: normal Version: 3.1
Component: Formatting Keywords: needs-patch has-unit-tests
Focuses: Cc:

Description (last modified by dd32)

In PHP < 5.4.7, parse_url() cannot handle IPv6 literal URLs such as //[::FFFF::127.0.0.1]/. This means esc_url() cannot correctly handle such URLs because it relies on parse_url() to separate the domain/port from the path/query in order to determine whether to encode square brackets or not.

Prior to [34920], esc_url() blindly stripped all square brackets and didn't use parse_url().

Attachments (1)

34202.tests.diff (1.1 KB) - added by johnbillion 5 years ago.

Download all attachments as: .zip

Change History (13)

#1 @johnbillion
5 years ago

  • Keywords has-unit-tests added

34202.tests.diff adds tests from #16859 to demonstrate the problem.

#2 @swissspidy
5 years ago

#34054 was marked as a duplicate.

#3 follow-up: @swissspidy
5 years ago

esc_url also breaks when an IPv6 address is used in a query arg, e.g. http://example.org/?s=2001:0db8:0000:0000:0000:ff00:0042:8329. It just returns an empty string in that case.

See #34054

#4 in reply to: ↑ 3 ; follow-up: @dd32
5 years ago

Replying to swissspidy:

esc_url also breaks when an IPv6 address is used in a query arg, e.g. http://example.org/?s=2001:0db8:0000:0000:0000:ff00:0042:8329. It just returns an empty string in that case.

I can't duplicate that under Trunk, does this also require the specific version of PHP?

#5 in reply to: ↑ 4 @swissspidy
5 years ago

Replying to dd32:

Replying to swissspidy:

esc_url also breaks when an IPv6 address is used in a query arg, e.g. http://example.org/?s=2001:0db8:0000:0000:0000:ff00:0042:8329. It just returns an empty string in that case.

I can't duplicate that under Trunk, does this also require the specific version of PHP?

Just noticed that this happens when using a relative URL like edit-comments.php?s=2001:0db8:0000:0000:0000:ff00:0042:8329. In that case esc_url() returns an empty string. Not for edit-comments.php?s=192.168.50.1 however. That works as expected.

#6 follow-up: @johnbillion
5 years ago

I suspect the above issue is caused by the relative URL handling in esc_url() which looks for the presence of a colon to determine whether it's a relative URL or not. That can go in its own ticket.

#7 in reply to: ↑ 6 @dd32
5 years ago

Replying to johnbillion:

I suspect the above issue is caused by the relative URL handling in esc_url() which looks for the presence of a colon to determine whether it's a relative URL or not. That can go in its own ticket.

Split off to #34407

#8 @dd32
5 years ago

In 35368:

Comments: Use a full URL rather than a relative one for links which can contain IPv6 addresses to avoid an issue where the URL was being eaten by escaping functions.

See #34407, #34202
Fixes #34054

#9 @dd32
5 years ago

  • Description modified (diff)

Small clarification to the original description - parse_url() cannot handle schemeless IPv6 URLs prior to PHP 5.4.7, http://[...]/ is fine, //[...]/ isn't.

This ticket was mentioned in Slack in #core by dd32. View the logs.


5 years ago

#11 @dd32
5 years ago

  • Owner set to dd32
  • Resolution set to fixed
  • Status changed from new to closed

In 35370:

Use wp_parse_url() in esc_url() to avoid parsing bugs in < PHP 5.4.7.

Props johnbillion for unit tests
See #34408
Fixes #34202

#12 @SergeyBiryukov
5 years ago

  • Milestone changed from Awaiting Review to 4.4
Note: See TracTickets for help on using tickets.