|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #47174 base64_decode interprets pad char in mid string as terminator
Submitted: 2009-01-20 21:04 UTC Modified: 2009-03-09 18:18 UTC
From: Assigned: iliaa (profile)
Status: Closed Package: *URL Functions
PHP Version: 5.2.8 OS: *
Private report: No CVE-ID: None
 [2009-01-20 21:04 UTC]
base64_decode handles a pad as the end of data even when it is not 
terminating a string, in which case it really should be handled as non-
alphabet characters. From rfc 3548 2.3: "Furthermore, such 
specifications may consider the pad character, "=", as not part of the 
base alphabet until the end of the string."

By ignoring all data after the pad, it is difficult to work with 
signature based technologies where the base64 
decoded octects must be compared to determine validity. PHP allows for 
additional data to be added to a signature which ends up being ignored 
when compared, while other implementations do not.

Reproduce code:
if (base64_decode("dGVzdA==") == base64_decode("dGVzdA==CRAP")) {
    echo "Same octect data - Signature Valid";
} else {
    echo "Invalid Signature";

Expected result:
Invalid Signature

Actual result:
Same octect data - Signature Valid


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2009-01-21 15:45 UTC]
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

 [2009-03-09 18:17 UTC]
Just FYI - this fix breaks SugarCRM version 5.0.0 (which relies on strings like dGVzdA==CRAP to decode correctly) and same may happen to other apps. It's probably their fault but it may be good to know that 5.2.9 works differently there. 
 [2009-03-09 18:18 UTC]
Version 5.2.0.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Jul 15 15:01:29 2024 UTC