php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #49785 htmlspecialchars() should check byte sequence more strictly
Submitted: 2009-10-06 11:40 UTC Modified: 2009-10-19 09:16 UTC
From: hello at iwamot dot com Assigned: moriyoshi (profile)
Status: Closed Package: Strings related
PHP Version: 5.3.0 OS: *
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: hello at iwamot dot com
New email:
PHP Version: OS:

 

 [2009-10-06 11:40 UTC] hello at iwamot dot com 
Description:
------------
Suppose htmlspecialchars() should check byte sequence more strictly for security reasons. An XSS exploit code has been unveiled.
http://d.hatena.ne.jp/t_komura/20091004/1254665511 [ja]

I wrote a primitive patch.
http://iwamot.com/misc/html.c.patch.20091006
I don't know whether it is useful though :)

Reproduce code:
---------------
// overlong UTF-8 sequence
echo htmlspecialchars("A\xC0\xAF&",     ENT_QUOTES, 'UTF-8');
// invalid Shift_JIS sequence
echo htmlspecialchars("B\x80&",         ENT_QUOTES, 'Shift_JIS');
echo htmlspecialchars("C\x81\x7f&",     ENT_QUOTES, 'Shift_JIS');
// invalid EUC-JP sequence
echo htmlspecialchars("D\x80&",         ENT_QUOTES, 'EUC-JP');
echo htmlspecialchars("E\xA1\xFF&",     ENT_QUOTES, 'EUC-JP');
echo htmlspecialchars("F\x8E\xFF&",     ENT_QUOTES, 'EUC-JP');
echo htmlspecialchars("G\x8F\xA1\xFF&", ENT_QUOTES, 'EUC-JP');

Expected result:
----------------
output nothing

Actual result:
--------------
A_&B_&C&D_&E__&F__&G___&
("_" means an invalid byte)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-10-09 10:02 UTC] svn@php.net 
Automatic comment from SVN on behalf of moriyoshi
Revision: http://svn.php.net/viewvc/?view=revision&revision=289411
Log: - Fixed bug #49785 (insufficient input string validation of htmlspecialchars()).
 [2009-10-09 10:03 UTC] moriyoshi@php.net 
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.
 [2009-10-12 14:25 UTC] svn@php.net 
Automatic comment from SVN on behalf of moriyoshi
Revision: http://svn.php.net/viewvc/?view=revision&revision=289565
Log: - Bug #49785: take 3 - fixed infinite loop bug (only for 5.2) (reported by T.Komura. Thanks)
 [2009-10-12 14:29 UTC] svn@php.net 
Automatic comment from SVN on behalf of moriyoshi
Revision: http://svn.php.net/viewvc/?view=revision&revision=289567
Log: - Bug #49785: take 4 - typo. this flaw is unharmful since the return value of get_next_char() is only used when UTF-8 is specified to the third argument.
 [2009-10-13 05:18 UTC] svn@php.net 
Automatic comment from SVN on behalf of moriyoshi
Revision: http://svn.php.net/viewvc/?view=revision&revision=289605
Log: - Bug #49785: take 5. What the hell happened to me...
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 14:01:29 2024 UTC