php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #38236 Binary data gets corrupted on multipart/formdata POST
Submitted: 2006-07-27 13:22 UTC Modified: 2006-07-27 17:14 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: tsteinbr at igd dot fraunhofer dot de Assigned: iliaa
Status: Closed Package: HTTP related
PHP Version: 5.1.4 OS: Linux (Debian 3.1)
Private report: No CVE-ID:
 [2006-07-27 13:22 UTC] tsteinbr at igd dot fraunhofer dot de
Description:
------------
Binary data supplied from the client via multipart/formdata POST (rfc1867) gets corrupted. Data will be truncated at the first occurence of a zero byte.


Reproduce code:
---------------
We post a variable called "mydata" containing "test\0test" (test, binary zero, test). This data is 9 bytes long.

We use the following PHP code to dump all submitted POST data:
var_dump($_POST);

Here's a hex dump of the POST:
0000: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d ----------------
0010: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 64 35 --------------d5
0020: 66 34 30 63 31 30 63 39 32 66 0d 0a 43 6f 6e 74 f40c10c92f..Cont
0030: 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a ent-Disposition:
0040: 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65  form-data; name
0050: 3d 22 6d 79 64 61 74 61 22 0d 0a 0d 0a 74 65 73 ="mydata"....tes
0060: 74 00 74 65 73 74 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d t.test..--------
0070: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d ----------------
0080: 2d 2d 2d 2d 2d 2d 64 35 66 34 30 63 31 30 63 39 ------d5f40c10c9
0090: 32 66 2d 2d 0d 0a                               2f--

And here's C code (using libcurl) that will generate such a request, which is perfectly RFC1867 compliant:

curl_formadd(&post, &last,
                CURLFORM_COPYNAME, "mydata",
                CURLFORM_PTRCONTENTS, "test\0test",         
               CURLFORM_CONTENTSLENGTH, 9,
               CURLFORM_END);


Expected result:
----------------
array(1) {
  ["mydata"]=>
  string(9) "test"
}



Actual result:
--------------
array(1) {
  ["mydata"]=>
  string(4) "test"
}

Note: The problem can by worked around by using Base64 encoding, etc, but that's not the point. RFC1867 was created for providing a method of sending large quantities of binary data or text containing non-ASCII characters, without the need for inefficient coding. 

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-07-27 17:14 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 24 19:01:53 2014 UTC