Edit report at https://bugs.php.net/bug.php?id=64582&edit=1
ID: 64582 Updated by: johan...@php.net Reported by: spam2 at rhsoft dot net Summary: file_get_contents() handles redirects wrong Status: Open Type: Bug Package: Scripting Engine problem Operating System: Linux PHP Version: 5.4.13 Block user comment: N Private report: N New Comment: RFC 2616 Section 14.30 requires "a single absolute URI." for the location header. Any relative location is not standards compliant. Previous Comments: ------------------------------------------------------------------------ [2013-04-04 14:55:58] spam2 at rhsoft dot net Description: ------------ [line "182"] [id "950103"] [msg "path traversal attack"] [data "../"] [hostname "test.test.rh"] [uri "/contentlounge/updateservice/cms_demo/cms//../cms.php"] [unique_id "UV2MrQoAAGMAAE356XkAAAAF"] in the folder /cms is a simple index.php with header('Location: ../cms.php'); every normal browser translates path and does not trigger modsec php triggers the "path traversal"-rule Expected result: ---------------- call the URL /contentlounge/updateservice/cms_demo/cms/cms.php Actual result: -------------- calling the URL /contentlounge/updateservice/cms_demo/cms//../cms.php ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=64582&edit=1