PHP :: Bug #44366 :: Regex bypass using POISON NULL BYTE

Bug #44366

Regex bypass using POISON NULL BYTE

Submitted:

2008-03-08 03:12 UTC

Modified:

2008-03-08 11:47 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

charlesfol at hotmail dot fr

Assigned:

Status:

Not a bug

Package:

*Regular Expressions

PHP Version:

5.2.5

OS:

nux/win

Private report:

CVE-ID:

None

View Developer Edit

Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !

Your email address: MUST BE VALID
Solve the problem: 41 - 17 = ?
Subscribe to this entry?

[2008-03-08 03:12 UTC] charlesfol at hotmail dot fr

Description:
------------
I discovered that in this PHP version, regex could be bypassed using \0 (%00) a.k.a. POISON NULL BYTE.

Reproduce code:
---------------
<?php

$var=$_GET['var'];
$is_alphanum_var = ereg("^[a-zA-Z0-9]+$",$var);
print "$is_alphanum_var\n$var";

?>


Expected result:
----------------
Normally if code contains ad chars such as %,", or _ it will be detected by the regex.

Actual result:
--------------
But if we use this URL:
http://site.com/page.php?var=test%00_-

$is_alphanum_var RETURNS 1, BUT $var CONTAINS _-

Security HOLE.

Warmly, Charles "real" FOL.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2008-03-08 11:02 UTC] charlesfol at hotmail dot fr

OK, in fact I found that this was a known problem.
I apologize about your wasted time =)

[2008-03-08 11:47 UTC] johannes@php.net

As the reporter said ;-)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun Feb 16 10:01:29 2025 UTC