ID: 42729 Updated by: [EMAIL PROTECTED] Reported By: php dot 20 dot zsh at spamgourmet dot com -Status: Open +Status: Bogus Bug Type: *General Issues Operating System: * PHP Version: 5.2.4 New Comment:
Sorry, but your problem does not imply a bug in PHP itself. For a list of more appropriate places to ask for help using PHP, please visit http://www.php.net/support.php as this bug system is not the appropriate forum for asking support questions. Due to the volume of reports we can not explain in detail here why your report is not a bug. The support channels will be able to provide an explanation for you. Thank you for your interest in PHP. All HTTP_X headers come from the webserver which ultimately come from the user and shouldn't be trusted. Previous Comments: ------------------------------------------------------------------------ [2007-09-21 15:55:40] php dot 20 dot zsh at spamgourmet dot com Description: ------------ HTTP_X_ORIGINAL_URI can be overriden by sending a X-Original-URI header. I think that shouldn't be possible... afaik it has nothing to do with request headers, since it's set even if I only provide a Host-Header. Reproduce code: --------------- X-Original-URI: javascript:alert(document.cookie) <?php echo '<a href="' . $_SERVER['HTTP_X_ORIGINAL_URI'] . '">Try again</a>'; ?> Expected result: ---------------- <a href="http://my-domain.com/script.php";>Try again</a> Actual result: -------------- <a href="javascript:alert(document.cookie)">Try again</a> ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=42729&edit=1
