simple-php-router icon indicating copy to clipboard operation
simple-php-router copied to clipboard
verified publisher icon skipperbent

"Passing null to parameter #1 ($url) of type string is deprecated" in mydomain.com/%c0

Open kangarko opened this issue 11 months ago • 3 comments

So recently someone accessed mysite.com/%c0 and it would crash the router:

Code:

0: parse_url(): Passing null to parameter #1 ($url) of type string is deprecated

Location:

/home/matej/web/XX/public_html/vendor/pecee/simple-router/src/Pecee/Http/Url.php#460

Trace:

#0 [internal function]: {closure}()
#1 /home/matej/web/XX/public_html/vendor/pecee/simple-router/src/Pecee/Http/Url.php(460): parse_url()
#2 /home/matej/web/XX/public_html/vendor/pecee/simple-router/src/Pecee/Http/Url.php(76): Pecee\Http\Url->parseUrl()
#3 /home/matej/web/XX/public_html/vendor/pecee/simple-router/src/Pecee/Http/Url.php(70): Pecee\Http\Url->parse()
#4 /home/matej/web/XX/public_html/vendor/pecee/simple-router/src/Pecee/Http/Request.php(136): Pecee\Http\Url->__construct()
#5 /home/matej/web/XX/public_html/vendor/pecee/simple-router/src/Pecee/SimpleRouter/Router.php(144): Pecee\Http\Request->__construct()
#6 /home/matej/web/XX/public_html/vendor/pecee/simple-router/src/Pecee/SimpleRouter/Router.php(132): Pecee\SimpleRouter\Router->reset()
#7 /home/matej/web/XX/public_html/vendor/pecee/simple-router/src/Pecee/SimpleRouter/SimpleRouter.php(486): Pecee\SimpleRouter\Router->__construct()
#8 /home/matej/web/XX/public_html/vendor/pecee/simple-router/src/Pecee/SimpleRouter/SimpleRouter.php(275): Pecee\SimpleRouter\SimpleRouter::router()
#9 /home/matej/web/XX/public_html/index.php(209): Pecee\SimpleRouter\SimpleRouter::group()
#10 {main}


IP: XX
User agent: XX
GET:

Array
(
)

POST:

Array
(
)

The line in my index.php is the first one at:

SimpleRouter::group(['middleware' => HandleLogin::class], function() {
    foreach (Page::getPages() as $page)
        SimpleRouter::get($page->getUrl(), function() use ($page) {
            $page->render();
        });
});

kangarko avatar Mar 11 '25 06:03 kangarko

Update: Solved by putting $_SERVER['REQUEST_URI'] = '/' . ltrim(filter_var(urldecode($_SERVER['REQUEST_URI']), FILTER_UNSAFE_RAW, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH), '/'); on the first line in index.php before loading composer

kangarko avatar Mar 11 '25 06:03 kangarko

Hello kangarko, can you please explain why this is a security vulnerability? To me it just seems like a normal error and everything should be fine if you are not displaying error messages to the user (even this would just be an information leakage). Could you please adjust your issue title?

Thank you, Marius

DeveloperMarius avatar Mar 11 '25 06:03 DeveloperMarius

Gotcha. I am not sure how the router works internally I just wanted to point this out. Will adjust.

kangarko avatar Mar 11 '25 06:03 kangarko

Update: Solved by putting $_SERVER['REQUEST_URI'] = '/' . ltrim(filter_var(urldecode($_SERVER['REQUEST_URI']), FILTER_UNSAFE_RAW, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH), '/'); on the first line in index.php before loading composer

"in index.php before loading composer" ... do you mean before '/vendor/autoload.php' ?

khanks avatar Aug 29 '25 04:08 khanks