From: mpub at meiners-online dot de
Operating system: Linux
PHP version: 5.2.4
PHP Bug Type: Output Control
Bug description: URL rewrite mechanism - data sent to foreign sites
Description:
------------
When I use output_add_rewrite_var($key, $value), it also adds a hidden
field containing $key and $value to forms which have an absolute URL as
action-attribute of the form-tag.
The transparent session-ID support (using the directive
session.use_trans_sid) is also affected.
I also reported this problem as 42804 in the session-section and was a bit
shocked about the answer that I simply shouldn't use the feature and the
classification "bogus". This section is maybe better anyway.
The configure-line of my provider:
../configure --program-suffix=5 --with-pear=/usr/local/lib/php5
--with-config-file-path=/usr/local/lib/php5
--with-libxml-dir=/usr/local/php5
--with-mysqli=/usr/local/mysql/bin/mysql_config --enable-soap
--with-xsl=/usr/local/php5 --enable-mbstring=all
--with-curl=/usr/local/php5 --with-mcrypt=/usr/local/php5 --with-gd
--with-pdo-mysql=/usr/local/mysql --with-freetype-dir
--with-libxml-dir=/usr/local/php5 --with-mysql=/usr/local/mysql --with-zlib
--enable-debug=no --enable-safe-mode=no --enable-discard-path=no
--with-png-dir=/usr/lib --enable-track-vars --with-db --with-gdbm
--enable-force-cgi-redirect --with-ttf=/usr/ --enable-ftp --enable-dbase
--enable-memory-limit --enable-calendar --enable-wddx
--with-jpeg-dir=/usr/src/kundenserver/jpeg-6b --enable-bcmath
--enable-gd-imgstrttf --enable-shmop --enable-mhash
--with-mhash=/usr/src/kundenserver/mhash-0.8.9/ --with-openssl
--enable-xslt --with-xslt-sablot --with-dom --with-dom-xslt
--with-dom-exslt --with-imap --with-iconv=/usr/local --with-bz2
--with-gettext --enable-exif --with-idn --with-sqlite --enable-sqlite-utf8
Reproduce code:
---------------
output_add_rewrite_var('sessionID','12345');
?>
Type in your city to get to know how you can find us:
<form action="http://www.carRoutes.com/search.php";>
<input type="text" name="city" />
<input type="submit" />
</form>
<?php
Expected result:
----------------
I expect to get the form unchanged as output because the manual says
"Please note that absolute URLs (http://example.com/..) aren't rewritten."
Actual result:
--------------
The output is:
Type in your city to get to know how you can find us:
<form action="http://www.carRoutes.com/search.php";><input type="hidden"
name="sessionID" value="12345" />
<input type="text" name="city" />
<input type="submit" />
</form>
--
Edit bug report at http://bugs.php.net/?id=42869&edit=1
--
Try a CVS snapshot (PHP 4.4):
http://bugs.php.net/fix.php?id=42869&r=trysnapshot44
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=42869&r=trysnapshot52
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=42869&r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=42869&r=fixedcvs
Fixed in release:
http://bugs.php.net/fix.php?id=42869&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=42869&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=42869&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=42869&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=42869&r=support
Expected behavior: http://bugs.php.net/fix.php?id=42869&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=42869&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=42869&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=42869&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=42869&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=42869&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=42869&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=42869&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=42869&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=42869&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=42869&r=mysqlcfg
