php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70277 new DateTimeZone($foo) is ignoring text after null byte
Submitted: 2015-08-15 13:21 UTC Modified: 2015-08-17 14:04 UTC
From: lukas at owncloud dot com Assigned: derick (profile)
Status: Closed Package: timezonedb (PECL)
PHP Version: 5.6.12 OS: *
Private report: No CVE-ID: None
 [2015-08-15 13:21 UTC] lukas at owncloud dot com
Description:
------------
While reviewing the PHP source code of a third-party application  I stumbled upon the fact that "new DateTimeZone" is not handling the Null-Byte as an error situation.

In this specific case it lead to a vulnerability since the security model was mostly relying on input validation instead of output sanitization (the data was then used in another exploitable context such as not using PDO etc.). Thus I filed this as security relevant bug.
(besides the fact that an actual exploitation obviously requires some other bug in the application as well)

That said, if the PHP team decides that this does not warrant to be handled as security potential issue I'm completely fine with that as the application in question has been fixed.

Test script:
---------------
<?php

function isValidTimeZone($zone) {
	try{
	    new DateTimeZone($zone);
	} catch(Exception $e) {
	    return false;
	}
	return true;
}

var_dump(isValidTimeZone('Europe/Zurich')); // TRUE, as expected
var_dump(isValidTimeZone('Europe/Zurich/Foo')); // False, as expected
var_dump(isValidTimeZone("Europe/Zurich\0Foo")); // True, should be false

Expected result:
----------------
new DateTimeZone("Europe/Zurich\0Foo") should throw an exception

Actual result:
--------------
"Europe/Zurich" is used as timezone

Patches

0001-Fix-70277-new-DateTimeZone-foo-is-ignoring-text-afte (last revision 2015-08-16 12:49 UTC by cmb@php.net)

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-08-16 07:40 UTC] stas@php.net
-Assigned To: +Assigned To: derick
 [2015-08-16 07:42 UTC] stas@php.net
-Type: Security +Type: Bug
 [2015-08-16 07:42 UTC] stas@php.net
This doesn't look like security issue to me. For every bug you can invent code like this: if(bugPresent()) { return 1; } else { return 0; } and then invent code which makes security decisions based on if the code above returns 0 or 1. However, that would make "security" classification meaningless, as every bug becomes security bug.
 [2015-08-16 12:48 UTC] cmb@php.net
-Status: Assigned +Status: Analyzed -Operating System: Linux +Operating System: *
 [2015-08-16 12:48 UTC] cmb@php.net
Indeed, the DateTimeZone constructors are not binary safe. They're
parsing the timezone as string, but discard the length when
calling timezone_initialize(). It seems to be appropriate to add a
tz_len parameter and a respective check to timezone_initialize(),
see the attached patch (`git am` against master).
 [2015-08-16 12:49 UTC] cmb@php.net
The following patch has been added/updated:

Patch Name: 0001-Fix-70277-new-DateTimeZone-foo-is-ignoring-text-afte
Revision:   1439729384
URL:        https://bugs.php.net/patch-display.php?bug=70277&patch=0001-Fix-70277-new-DateTimeZone-foo-is-ignoring-text-afte&revision=1439729384
 [2015-08-16 15:41 UTC] derick@php.net
The patch has white space issues in the first block.
 [2015-08-17 14:04 UTC] cmb@php.net
I've submitted PR #1474 <https://github.com/php/php-src/pull/1474>.
 [2015-08-17 17:36 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bb057498f7457e8b2eba98332a3bad434de4cf12
Log: Fix #70277: new DateTimeZone($foo) is ignoring text after null byte
 [2015-08-17 17:36 UTC] cmb@php.net
-Status: Analyzed +Status: Closed
 [2015-08-18 16:24 UTC] ab@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bb057498f7457e8b2eba98332a3bad434de4cf12
Log: Fix #70277: new DateTimeZone($foo) is ignoring text after null byte
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 12:01:31 2024 UTC