|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2009-01-21 15:45 UTC] iliaa@php.net
[2009-03-09 18:17 UTC] stas@php.net
[2009-03-09 18:18 UTC] stas@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Fri Oct 24 08:00:01 2025 UTC |
Description: ------------ base64_decode handles a pad as the end of data even when it is not terminating a string, in which case it really should be handled as non- alphabet characters. From rfc 3548 2.3: "Furthermore, such specifications may consider the pad character, "=", as not part of the base alphabet until the end of the string." By ignoring all data after the pad, it is difficult to work with signature based technologies where the base64 decoded octects must be compared to determine validity. PHP allows for additional data to be added to a signature which ends up being ignored when compared, while other implementations do not. Reproduce code: --------------- if (base64_decode("dGVzdA==") == base64_decode("dGVzdA==CRAP")) { echo "Same octect data - Signature Valid"; } else { echo "Invalid Signature"; } Expected result: ---------------- Invalid Signature Actual result: -------------- Same octect data - Signature Valid