CVE-2020-7071 php: FILTER_VALIDATE_URL accepts URLs with invalid userinfo

Publication Date2021-01-03
SeverityModerate
TypeCross-Site Request Forgery
Affected PHP Versions
  • 5.6
  • 7.0
  • 7.1
  • 7.2
  • 7.3.0 - 7.3.25
  • 7.4.0 - 7.4.13
  • 8.0.0

CVE Details

If you use filter_var() with the FILTER_VALIDATE_URL option, you may get a false positive validation, which could lead you to use an invalid or purposely malformed URL; an additional side effect is that parse_url() would give you an unexpected domain and/or userinfo. These, in turn, would allow a malicious user to potentially cause an application to retrieve or post to a URL that is not specifically allowed by the system.

Recommendations

Upgrade to PHP 8.0.1 or later, 7.4.14 or later, or 7.3.26 or later.

Do not use user-submitted URLs to make HTTP calls whenever possible.

If you need to use user-submitted URLs, use a dedicated URI library to validate and/or parse your URLs, such as league/uri.