|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2015-08-15 13:21 UTC] lukas at owncloud dot com
Description:
------------
While reviewing the PHP source code of a third-party application I stumbled upon the fact that "new DateTimeZone" is not handling the Null-Byte as an error situation.
In this specific case it lead to a vulnerability since the security model was mostly relying on input validation instead of output sanitization (the data was then used in another exploitable context such as not using PDO etc.). Thus I filed this as security relevant bug.
(besides the fact that an actual exploitation obviously requires some other bug in the application as well)
That said, if the PHP team decides that this does not warrant to be handled as security potential issue I'm completely fine with that as the application in question has been fixed.
Test script:
---------------
<?php
function isValidTimeZone($zone) {
try{
new DateTimeZone($zone);
} catch(Exception $e) {
return false;
}
return true;
}
var_dump(isValidTimeZone('Europe/Zurich')); // TRUE, as expected
var_dump(isValidTimeZone('Europe/Zurich/Foo')); // False, as expected
var_dump(isValidTimeZone("Europe/Zurich\0Foo")); // True, should be false
Expected result:
----------------
new DateTimeZone("Europe/Zurich\0Foo") should throw an exception
Actual result:
--------------
"Europe/Zurich" is used as timezone
Patches0001-Fix-70277-new-DateTimeZone-foo-is-ignoring-text-afte (last revision 2015-08-16 12:49 UTC by cmb@php.net)Pull Requests
Pull requests:
HistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Tue Oct 28 10:00:01 2025 UTC |
This doesn't look like security issue to me. For every bug you can invent code like this: if(bugPresent()) { return 1; } else { return 0; } and then invent code which makes security decisions based on if the code above returns 0 or 1. However, that would make "security" classification meaningless, as every bug becomes security bug.