PHP :: Bug #44366 :: Regex bypass using POISON NULL BYTE

Bug #44366

Regex bypass using POISON NULL BYTE

Submitted:

2008-03-08 03:12 UTC

Modified:

2008-03-08 11:47 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

charlesfol at hotmail dot fr

Assigned:

Status:

Not a bug

Package:

*Regular Expressions

PHP Version:

5.2.5

OS:

nux/win

Private report:

CVE-ID:

None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	charlesfol at hotmail dot fr
New email:
PHP Version:		OS:

New/Additional Comment:

[2008-03-08 03:12 UTC] charlesfol at hotmail dot fr

Description:
------------
I discovered that in this PHP version, regex could be bypassed using \0 (%00) a.k.a. POISON NULL BYTE.

Reproduce code:
---------------
<?php

$var=$_GET['var'];
$is_alphanum_var = ereg("^[a-zA-Z0-9]+$",$var);
print "$is_alphanum_var\n$var";

?>


Expected result:
----------------
Normally if code contains ad chars such as %,", or _ it will be detected by the regex.

Actual result:
--------------
But if we use this URL:
http://site.com/page.php?var=test%00_-

$is_alphanum_var RETURNS 1, BUT $var CONTAINS _-

Security HOLE.

Warmly, Charles "real" FOL.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2008-03-08 11:02 UTC] charlesfol at hotmail dot fr

OK, in fact I found that this was a known problem.
I apologize about your wasted time =)

[2008-03-08 11:47 UTC] johannes@php.net

As the reporter said ;-)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Nov 08 02:00:02 2025 UTC