|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2014-03-21 15:34 UTC] oroszisam at gmail dot com
[2014-06-08 21:21 UTC] stas@php.net
-Status: Open
+Status: Closed
-Assigned To:
+Assigned To: stas
[2014-06-08 21:21 UTC] stas@php.net
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sat Feb 22 17:01:28 2025 UTC |
Description: ------------ In asn1_time_to_time_t [ext/openssl/openssl.c], the Y2K bug makes a cameo appearance: [...] *thestr = '\0'; thestr -= 2; thetime.tm_year = atoi(thestr); if (thetime.tm_year < 68) { thetime.tm_year += 100; } This piece of code is the part of a backwards UTCTime parser. It moves 2 positions to the left, and converts those two characters to an int. However, certs with a validity past 2050 contain GeneralizedTime formatted timestamps allowing 4 characters in the year field instead of the UTCTime this function parses (badly). [rfc5280, 4.1.2.5] Test script: --------------- An example script that demonstrates the problem with a cert expiring 2101: http://pastebin.com/Yij0q1qn Expected result: ---------------- Actual time string of validity: 21010828070405Z parsed with strtotime: 4154655845 [2101-08-28] parsed with asn1_time_to_time_t: 4154655845 [2101-08-28] Actual result: -------------- Actual time string of validity: 21010828070405Z parsed with strtotime: 4154655845 [2101-08-28] parsed with asn1_time_to_time_t: 998982245 [2001-08-28]