{"id":669,"date":"2012-09-19T23:13:33","date_gmt":"2012-09-19T21:13:33","guid":{"rendered":"https:\/\/d-mueller.de\/blog\/?p=669"},"modified":"2012-09-19T23:13:33","modified_gmt":"2012-09-19T21:13:33","slug":"why-url-validation-with-filter_var-might-not-be-a-good-idea","status":"publish","type":"post","link":"https:\/\/d-mueller.de\/blog\/why-url-validation-with-filter_var-might-not-be-a-good-idea\/","title":{"rendered":"Why URL validation with filter_var might not be a good idea"},"content":{"rendered":"
Prefer this in German? Warum URL-Validierung mit filter_var keine gute Idee ist<\/a><\/div>\n

Since PHP 5.2 brought us the filter_var<\/a> function, the time of such monsters was over (taken from here<\/a>):<\/p>\n

\r\n$urlregex = "^(https?|ftp)\\:\\\/\\\/([a-z0-9+!*(),;?&=\\$_.-]+(\\:[a-z0-9+!*(),;?&=\\$_.-]+)?@)?[a-z0-9+\\$_-]+(\\.[a-z0-9+\\$_-]+)*(\\:[0-9]{2,5})?(\\\/([a-z0-9+\\$_-]\\.?)+)*\\\/?(\\?[a-z+&\\$_.-][a-z0-9;:@\/&%=+\\$_.-]*)?(#[a-z_.-][a-z0-9+\\$_.-]*)?\\$";\r\nif (eregi($urlregex, $url)) {echo "good";} else {echo "bad";}\r\n<\/pre>\n
The simple, yet effective syntax:<\/p>\n
\r\nfilter_var($url, FILTER_VALIDATE_URL)\r\n<\/pre>\n
As third parameter, filter flags can be passed. Considering URL validation, the following 4 flags are availible:<\/p>\n
\r\nFILTER_FLAG_SCHEME_REQUIRED\r\nFILTER_FLAG_HOST_REQUIRED\r\nFILTER_FLAG_PATH_REQUIRED \r\nFILTER_FLAG_QUERY_REQUIRED \r\n<\/pre>\n
The first two FILTER_FLAG_SCHEME_REQUIRED<\/i> and FILTER_FLAG_HOST_REQUIRED<\/i> are the default.<\/p>\n
Get started!<\/h2>\n
Alright, let’s look at some critical examples.<\/p>\n
\r\nfilter_var('http:\/\/example.com\/"><script>alert("xss")<\/script>', FILTER_VALIDATE_URL) !== false; \/\/true\r\n<\/pre>\n
Well, nobody said that filter_var was built to fight XSS. Let’s accept this and move on:<\/p>\n
\r\nfilter_var('php:\/\/filter\/read=convert.base64-encode\/resource=\/etc\/passwd', FILTER_VALIDATE_URL) !== false; \/\/true\r\n<\/pre>\n
Way more critical. Any scheme will pass the filter. http(s) and ftp would have been acceptable, but this is problematic. filter_var has to deal with all the evilness<\/a> that a url can contain.<\/p>\n
\r\nfilter_var('foo:\/\/bar', FILTER_VALIDATE_URL) !== false; \/\/true\r\n<\/pre>\n
And the best<\/h2>\n
\r\nfilter_var('javascript:\/\/test%0Aalert(321)', FILTER_VALIDATE_URL) !== false; \/\/true\r\n<\/pre>\n
Let’s take a closer look: javascript is the scheme. Of course, hit javascript:alert(1+2+3+4);<\/i> in the address bar of your browser and you’ll see:<\/p>\n
\"Javascript-URL\"<\/a>
Javascript-URL<\/p><\/div>\n
This is the way that bookmarklets work and not a secret. But let’s move on: The double \/\/ starts an ordinary javascript comment and convinces filter_var that we are dealing with a valid url scheme – look at the examples above. After that, the sequence %0A<\/i> follows, which is exactly the output of the following code:<\/p>\n
\r\necho urlencode("\\n");\r\n<\/pre>\n
Get it? Because of the url encoded newline, the javascript comment started with \/\/<\/i> will be finished and what follows is arbitrary javascript code. Imagine a dating site where user urls are validated with filter_var and displayed on the front page. Very evil. Try it yourself<\/a>.<\/p>\n
And now?<\/h2>\n
The following modification of filter_var could be worth wile:<\/p>\n
\r\nfunction validate_url($url)\r\n{\r\n\t$url = trim($url);\r\n\t\r\n\treturn ((strpos($url, "http:\/\/") === 0 || strpos($url, "https:\/\/") === 0) &&\r\n\t\t    filter_var($url, FILTER_VALIDATE_URL, FILTER_FLAG_SCHEME_REQUIRED | FILTER_FLAG_HOST_REQUIRED) !== false);\r\n}\r\n<\/pre>\n
But even with this wrapping function, the – at least very unusual – url http:\/\/x<\/i> passes validation. Maybe, the regex monsters are not that bad ;). And before I forget: filter_var is not multibyte capable. The absolutely valid url http:\/\/\uc2a4\ud0c0\ubc85\uc2a4\ucf54\ub9ac\uc544.com<\/a> is being rejected:<\/p>\n
\r\nvar_dump(filter_var("http:\/\/\uc2a4\ud0c0\ubc85\uc2a4\ucf54\ub9ac\uc544.com", FILTER_VALIDATE_URL) !== false); \/\/bool(false)\r\n<\/pre>\n
To conclude: use filter_var with care, adapt to your situation and be aware of the weaknesses. Finally, I’d like to recommend this nice collection<\/a> of filter_var tests dependent on the filter flags. Ah, and have a look at Symfony 2’s url validator<\/a>, if you like.<\/p>\n","protected":false},"excerpt":{"rendered":"
Prefer this in German? Warum URL-Validierung mit filter_var keine gute Idee ist Since PHP 5.2 brought us the filter_var function, the time of such monsters was over (taken from here): $urlregex = "^(https?|ftp)\\:\\\/\\\/([a-z0-9+!*(),;?&=\\$_.-]+(\\:[a-z0-9+!*(),;?&=\\$_.-]+)?@)?[a-z0-9+\\$_-]+(\\.[a-z0-9+\\$_-]+)*(\\:[0-9]{2,5})?(\\\/([a-z0-9+\\$_-]\\.?)+)*\\\/?(\\?[a-z+&\\$_.-][a-z0-9;:@\/&%=+\\$_.-]*)?(#[a-z_.-][a-z0-9+\\$_.-]*)?\\$"; if (eregi($urlregex, $url)) {echo "good";} else {echo … Weiterlesen →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4,6,14,3],"tags":[],"class_list":["post-669","post","type-post","status-publish","format-standard","hentry","category-php","category-security","category-php-wtf","category-webdev"],"_links":{"self":[{"href":"https:\/\/d-mueller.de\/blog\/wp-json\/wp\/v2\/posts\/669","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/d-mueller.de\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/d-mueller.de\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/d-mueller.de\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/d-mueller.de\/blog\/wp-json\/wp\/v2\/comments?post=669"}],"version-history":[{"count":0,"href":"https:\/\/d-mueller.de\/blog\/wp-json\/wp\/v2\/posts\/669\/revisions"}],"wp:attachment":[{"href":"https:\/\/d-mueller.de\/blog\/wp-json\/wp\/v2\/media?parent=669"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/d-mueller.de\/blog\/wp-json\/wp\/v2\/categories?post=669"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/d-mueller.de\/blog\/wp-json\/wp\/v2\/tags?post=669"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}