Innovate faster and cut risk with PHP experts from Zend Services.
Explore Services
See How Zend Helps Leading Hosting Providers Keep Their Managed Sites on Secure PHP
Read More
Learn PHP from PHP experts with free, on-demand, and instructor led courses.
Explore Training
Submit support requests and browse self-service resources.
Explore Support
CVE-2020-7071 php: FILTER_VALIDATE_URL accepts URLs with invalid userinfo
If you use filter_var() with the FILTER_VALIDATE_URL option, you may get a false positive validation, which could lead you to use an invalid or purposely malformed URL; an additional side effect is that parse_url() would give you an unexpected domain and/or userinfo. These, in turn, would allow a malicious user to potentially cause an application to retrieve or post to a URL that is not specifically allowed by the system.
filter_var()
FILTER_VALIDATE_URL
parse_url()
Upgrade to PHP 8.0.1 or later, 7.4.14 or later, or 7.3.26 or later.
Do not use user-submitted URLs to make HTTP calls whenever possible.
If you need to use user-submitted URLs, use a dedicated URI library to validate and/or parse your URLs, such as league/uri.
Direct link to CVE-2020-7071 >
< View all CVEs