php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #72264 base64_decode $strict fails with whitespace between padding
Submitted: 2016-05-25 18:55 UTC Modified: 2016-06-16 13:45 UTC
From: lauri dot kentta at gmail dot com Assigned:
Status: Closed Package: Strings related
PHP Version: 7.0.6 OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: lauri dot kentta at gmail dot com
New email:
PHP Version: OS:

 

 [2016-05-25 18:55 UTC] lauri dot kentta at gmail dot com 
Description:
------------
base64_decode $strict fails with whitespace between padding.

Test script:
---------------
<?php
var_dump(base64_decode("VV= =", true));


Expected result:
----------------
string(1) "U"


Actual result:
--------------
bool(false)

Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-06-14 13:14 UTC] cmb@php.net 
In my opinion, this is not a bug, but rather expected behavior[1]:

| Returns FALSE if input contains character from outside the
| base64 alphabet.

[1] <http://php.net/manual/en/function.base64-decode.php>
 [2016-06-14 15:20 UTC] lauri dot kentta at gmail dot com 
Whitespace (at least line breaks) is allowed in Base64.

And even with your logic, at least the whitespace should be handled equally in all cases. In other words, base64_decode("VV ==") and base64_decode("VV= =") should yield the same result.
 [2016-06-16 12:51 UTC] cmb@php.net 
> Whitespace (at least line breaks) is allowed in Base64.

Line breaks are allowed, but as far as I know, not in arbitrary
places, and no other whitespace characters are allowed.

> In other words, base64_decode("VV ==") and base64_decode("VV=
> =") should yield the same result.

ACK. Obviously that is not the case now: <https://3v4l.org/4ZV7T>.
 [2016-06-16 13:45 UTC] lauri dot kentta at gmail dot com 
> Line breaks are allowed, but as far as I know, not in arbitrary
> places, and no other whitespace characters are allowed.

RFC 4648 (Base* encoding) doesn't cover these issues;
it only says that any characters outside the Base64 alphabet
MUST be rejected, UNLESS another specification says otherwise.
This means that we can really do as we please, since the same
function may be used in different contexts.

RFC 2045 (MIME) says that "any characters outside of the
base64 alphabet are to be ignored in base64-encoded data".
This is what the "non-strict" mode does, so this is fine,
even though it's really weird to accept stuff like !"#%&.

The current C code specifically tries to ignore white-space
even in "strict" mode. I think that the PHP documentation is
"wrong" in this regard and that this bug should be fixed.
It's obvious that the current "strict" mode is actually
intended as a sensible mode for any sensible input, with
the benefit that anything weird like leaked errors inside
the Base64 string will probably produce FALSE.
Many tools add line breaks in Base64 data, so it's nice to
accept that. (`echo -n U | base64 -w3` == "VQ=\n=\n") == true.
Also, changing the current behavior to be more strict would
cause a BC break, which is probably not acceptable.

PHP doesn't really implement a strict mode for Base64.

So maybe some day we should implement all three modes:
- MIME mode, the current default, ignores any weirdness.
- sensible mode, the current "strict", with Base64 + white space
- really strict mode, which only accepts 0-9A-Za-z+/=
 [2016-07-05 14:57 UTC] nikic@php.net 
Automatic comment on behalf of lauri.kentta@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3380acbdd40f504b08b64c01960dbe8afc91d7ea
Log: base64_decode: fix bug #72264 ('VV= =' shouldn't fail in strict mode)
 [2016-07-05 14:57 UTC] nikic@php.net
-Status: Open +Status: Closed
 [2016-07-06 05:47 UTC] davey@php.net 
Automatic comment on behalf of lauri.kentta@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3380acbdd40f504b08b64c01960dbe8afc91d7ea
Log: base64_decode: fix bug #72264 ('VV= =' shouldn't fail in strict mode)
 [2016-07-06 23:33 UTC] nikic@php.net 
Automatic comment on behalf of lauri.kentta@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3104759915aaeb3c42e596b72eb9d9c542005dcd
Log: base64_decode: fix bug #72264 ('VV= =' shouldn't fail in strict mode)
 [2016-07-20 11:30 UTC] davey@php.net 
Automatic comment on behalf of lauri.kentta@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3104759915aaeb3c42e596b72eb9d9c542005dcd
Log: base64_decode: fix bug #72264 ('VV= =' shouldn't fail in strict mode)
 [2016-07-20 11:30 UTC] davey@php.net 
Automatic comment on behalf of lauri.kentta@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3380acbdd40f504b08b64c01960dbe8afc91d7ea
Log: base64_decode: fix bug #72264 ('VV= =' shouldn't fail in strict mode)
 [2016-10-17 10:11 UTC] bwoebi@php.net 
Automatic comment on behalf of lauri.kentta@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3104759915aaeb3c42e596b72eb9d9c542005dcd
Log: base64_decode: fix bug #72264 ('VV= =' shouldn't fail in strict mode)
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Wed Oct 29 16:00:01 2025 UTC