|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2005-07-20 12:24 UTC] tony2001@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Wed Oct 29 11:00:01 2025 UTC |
Description: ------------ NUL character (C string terminator) is allowed in file paths passed to OS functions, which causes unexpected truncation of string. This is a security risk for popular, sloppy code like: include($_GET['page'].'.i-feel-safe.php'); because ?page=/etc/passwd%00 circumvents such "protection". IMHO PHP should throw an error if PHP string can't be safely converted to C string. Reproduce code: --------------- <?php fopen(urldecode("test%00.html"),"r"); Expected result: ---------------- Error: illegal path Actual result: -------------- Warning: fopen(test) [function.fopen]: failed to open stream: No such file or directory in c:\www\test.php5 on line 2