ID: 16337
Updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
Status: Open
Bug Type: HTTP related
Operating System: Unix based
PHP Version: 4.1.0
New Comment:
Correction:
PHP's fopen url wrapper doesn't appear to unencode ANY encodings at
all. Since the HTTP spec only excludes ':' from the username (and
nothing at all from the password), this bug makes many
username:password pairs unusable.
Previous Comments:
------------------------------------------------------------------------
[2002-03-28 18:12:28] [EMAIL PROTECTED]
When include() is called with the following syntax:
include("http://username:[EMAIL PROTECTED]/";);
It is the duty of the include call to tokenize the username and
password, and to urldecode each of them. Why? Because things would
break if a username contained 'www.example.com/?var=' or say a
password contained an @. So, it is the duty of the caller to urlencode
these tokens, and the duty of include (or a sub function) to unencode
it after parsing.
However, it has been observed in PHP 4.1.x that '%' characters (or
their equivalent '%25') are not decoded properly. Prior use of this
feature leads us to believe the 4.0.x series of PHP does not have this
problem.
We run websites with hundreds of users. We would appreciate a quick
response, because we would rather not force all users with '%'s in
their passwords to change them. Thank you.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=16337&edit=1
