From: mpub at meiners-online dot de Operating system: Linux PHP version: 5.2.4 PHP Bug Type: Output Control Bug description: URL rewrite mechanism - data sent to foreign sites
Description: ------------ When I use output_add_rewrite_var($key, $value), it also adds a hidden field containing $key and $value to forms which have an absolute URL as action-attribute of the form-tag. The transparent session-ID support (using the directive session.use_trans_sid) is also affected. I also reported this problem as 42804 in the session-section and was a bit shocked about the answer that I simply shouldn't use the feature and the classification "bogus". This section is maybe better anyway. The configure-line of my provider: ../configure --program-suffix=5 --with-pear=/usr/local/lib/php5 --with-config-file-path=/usr/local/lib/php5 --with-libxml-dir=/usr/local/php5 --with-mysqli=/usr/local/mysql/bin/mysql_config --enable-soap --with-xsl=/usr/local/php5 --enable-mbstring=all --with-curl=/usr/local/php5 --with-mcrypt=/usr/local/php5 --with-gd --with-pdo-mysql=/usr/local/mysql --with-freetype-dir --with-libxml-dir=/usr/local/php5 --with-mysql=/usr/local/mysql --with-zlib --enable-debug=no --enable-safe-mode=no --enable-discard-path=no --with-png-dir=/usr/lib --enable-track-vars --with-db --with-gdbm --enable-force-cgi-redirect --with-ttf=/usr/ --enable-ftp --enable-dbase --enable-memory-limit --enable-calendar --enable-wddx --with-jpeg-dir=/usr/src/kundenserver/jpeg-6b --enable-bcmath --enable-gd-imgstrttf --enable-shmop --enable-mhash --with-mhash=/usr/src/kundenserver/mhash-0.8.9/ --with-openssl --enable-xslt --with-xslt-sablot --with-dom --with-dom-xslt --with-dom-exslt --with-imap --with-iconv=/usr/local --with-bz2 --with-gettext --enable-exif --with-idn --with-sqlite --enable-sqlite-utf8 Reproduce code: --------------- output_add_rewrite_var('sessionID','12345'); ?> Type in your city to get to know how you can find us: <form action="http://www.carRoutes.com/search.php"> <input type="text" name="city" /> <input type="submit" /> </form> <?php Expected result: ---------------- I expect to get the form unchanged as output because the manual says "Please note that absolute URLs (http://example.com/..) aren't rewritten." Actual result: -------------- The output is: Type in your city to get to know how you can find us: <form action="http://www.carRoutes.com/search.php"><input type="hidden" name="sessionID" value="12345" /> <input type="text" name="city" /> <input type="submit" /> </form> -- Edit bug report at http://bugs.php.net/?id=42869&edit=1 -- Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=42869&r=trysnapshot44 Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=42869&r=trysnapshot52 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=42869&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=42869&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=42869&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=42869&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=42869&r=needscript Try newer version: http://bugs.php.net/fix.php?id=42869&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=42869&r=support Expected behavior: http://bugs.php.net/fix.php?id=42869&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=42869&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=42869&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=42869&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=42869&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=42869&r=dst IIS Stability: http://bugs.php.net/fix.php?id=42869&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=42869&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=42869&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=42869&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=42869&r=mysqlcfg