PHP :: Bug #72963 :: Null-byte injection in createFromFormat

Bug #72963

Null-byte injection in createFromFormat

Submitted:

2016-08-29 11:24 UTC

Modified:

2022-05-20 13:55 UTC

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

qoqe at inbox dot lv

Assigned:

derick (profile)

Status:

Closed

Package:

Date/time related

PHP Version:

7.0.10

OS:

Linux, Windows

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	qoqe at inbox dot lv
New email:
PHP Version:		OS:

New Comment:

[2016-08-29 11:24 UTC] qoqe at inbox dot lv

Description:
------------
createFromFormat method from DateTime class is sensitive to null-byte injection. 

According to best practices to verify if date is valid in PHP, the best way is to use DateTime::createFromFormat because it returns false if date isn't valid. This way to verify date is used in many CMS systems (for example, in Drupal).

The problem is that DateTime::createFromFormat second parameter is vulnerable to null-byte which can be passed to it when createFromFormat method is used to verify GET or POST param.

Here are results if application calls DateTime::createFromFormat('m/d/Y', $_GET['startFrom']); where

startFrom=8/8/2016 - will return true
startFrom=8/8/2016asd - will return false
startFrom=8/8/2016%00asd - will return true

It seems to be reliable verification if date is valid and developer might not use htmlspecialchars or real_escape_string after it. This may lead to SQL Injection or XSS.



Test script:
---------------
 <?php
 
    function verifyDate($date, $strict = true) {
        $dateTime = DateTime::createFromFormat('m/d/Y', $date);
        if ($strict) {
            $errors = DateTime::getLastErrors();
            if (!empty($errors['warning_count'])) {
                return false;
            }
        }
        return $dateTime !== false;
    }
    
    if(!empty($_GET['startFrom']) && verifyDate($_GET['startFrom'])) {
    
        // query to database without escaping $_GET['startFrom']
        // because it has passed verification of valid date
    
    }
    
    // tests
    
    var_dump(verifyDate('asd')); // false
    var_dump(verifyDate('8/8/2016')); // true
    var_dump(verifyDate('8/8/2016asdasd')); // false
    var_dump(verifyDate("8/8/2016\x00asdasd")); // true
 
 ?>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-09-02 04:57 UTC] stas@php.net

-Type: Security +Type: Bug -Assigned To: +Assigned To: derick

[2022-05-20 13:55 UTC] derick@php.net

https://github.com/php/php-src/pull/8593

[2022-05-26 14:20 UTC] git@php.net

Automatic comment on behalf of derickr
Revision: https://github.com/php/php-src/commit/2dcd82162e822e189fea17ac2f88bb53e06023a1
Log: Fixed bug #72963 (Null-byte injection in CreateFromFormat and related functions)

[2022-05-26 14:20 UTC] git@php.net

-Status: Assigned +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon Feb 03 07:01:33 2025 UTC