Innovate faster and cut risk with PHP experts from Zend Services.
Explore Services
Beginning to advanced PHP classes to learn and earn global certification.
Help me choose >
Explore Training
Submit support requests and browse self-service resources.
Explore Support
CVE-2020-7071 php: FILTER_VALIDATE_URL accepts URLs with invalid userinfo
If you use filter_var() with the FILTER_VALIDATE_URL option, you may get a false positive validation, which could lead you to use an invalid or purposely malformed URL; an additional side effect is that parse_url() would give you an unexpected domain and/or userinfo. These, in turn, would allow a malicious user to potentially cause an application to retrieve or post to a URL that is not specifically allowed by the system.
filter_var()
FILTER_VALIDATE_URL
parse_url()
Upgrade to PHP 8.0.1 or later, 7.4.14 or later, or 7.3.26 or later.
Do not use user-submitted URLs to make HTTP calls whenever possible.
If you need to use user-submitted URLs, use a dedicated URI library to validate and/or parse your URLs, such as league/uri.
Direct link to CVE-2020-7071 >
< View all CVEs