php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #43162 GET date variable name not binary-safe on null bytes
Submitted: 2007-10-31 13:23 UTC Modified: 2007-11-09 01:00 UTC
Votes:1
Avg. Score:1.0 ± 0.0
Reproduced:0 of 1 (0.0%)
From: ryat at wolvez dot org Assigned:
Status: No Feedback Package: *General Issues
PHP Version: 5.2.4 OS: Ubuntu7.10
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: ryat at wolvez dot org
New email:
PHP Version: OS:

 

 [2007-10-31 13:23 UTC] ryat at wolvez dot org
Description:
------------
GET date variable name not binary-safe on null bytes

Reproduce code:
---------------
<?php
print_r($_GET);
?>


http://127.0.0.1/test.php?a%00aaaa=test

Actual result:
--------------
Array ( [a] => test )

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-10-31 16:41 UTC] crescentfreshpot at yahoo dot com
php is written in C. In C the null byte represents the end of a string. I don't think php can work around this.
 [2007-10-31 17:01 UTC] ryat at wolvez dot org
Hihi,pay attention to:

magic_quotes_gpc=on

http://127.0.0.1/test.php?a'aaaa=test

Actual result:
--------------
Array ( [a\'aaaa] => test )


http://127.0.0.1/test.php?a%00aaaa=test

Actual result:
--------------
Array ( [a] => test )
 [2007-11-01 08:32 UTC] ryat at wolvez dot org
Replenish other example

magic_quotes_gpc=on

http://127.0.0.1/test/test3.php?a%00aaaa=a%00aaaa

Array ( [a] => a\0aaaa )

magic_quotes_gpc=off

http://127.0.0.1/test/test3.php?a%00aaaa=a%00aaaa

Array ( [a] => aaaaa )
 [2007-11-01 09:25 UTC] jani@php.net
And why would you want to pass null byte in the parameter name? 

 [2007-11-01 11:46 UTC] zizzy at wolvez dot org
I want to know is this is bug?
 [2007-11-01 14:45 UTC] carsten_sttgt at gmx dot de
> And why would you want to pass null byte in the parameter name?
Because it's allowed to use "%00" in a query_string ;-) In $_SERVER['QUERY_STRING'] you have the correct value.

It's also allowed, and works, to use "\0" as array key:
| $a = array("a\0aaaa" => "test");
| echo $a["a\0aaaa"].PHP_EOL;
| echo strlen(key($a));
prints:
| test
| 6

This also works:
| $s = 'a%00aaaa=test';
| $s = rawurldecode($s);
| $t = explode('=', $s);
| $a[$t[0]] = $t[1];
| unset($t);
| var_dump($a);

But this not:
| $s = 'a%00aaaa=test';
| $s = rawurldecode($s);
| parse_str($s, $a);
| var_dump($a);

Maybe the problem is:
With a possible "register_globals = on" or only "parse_str($s);", you have an illegal variable name?

So, that is a bug, but maybe a "won't fix" and should be described in the manual?

Regards,
Carsten
 [2007-11-09 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2009-06-23 21:21 UTC] me at evancarroll dot com
Close this bug report dup of http://bugs.php.net/bug.php?id=36183
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Dec 26 16:01:31 2024 UTC