php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #47174 base64_decode interprets pad char in mid string as terminator
Submitted: 2009-01-20 21:04 UTC Modified: 2009-03-09 18:18 UTC
From: rrichards@php.net Assigned: iliaa (profile)
Status: Closed Package: *URL Functions
PHP Version: 5.2.8 OS: *
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: rrichards@php.net
New email:
PHP Version: OS:

 

 [2009-01-20 21:04 UTC] rrichards@php.net
Description:
------------
base64_decode handles a pad as the end of data even when it is not 
terminating a string, in which case it really should be handled as non-
alphabet characters. From rfc 3548 2.3: "Furthermore, such 
specifications may consider the pad character, "=", as not part of the 
base alphabet until the end of the string."

By ignoring all data after the pad, it is difficult to work with 
signature based technologies where the base64 
decoded octects must be compared to determine validity. PHP allows for 
additional data to be added to a signature which ends up being ignored 
when compared, while other implementations do not.

Reproduce code:
---------------
if (base64_decode("dGVzdA==") == base64_decode("dGVzdA==CRAP")) {
    echo "Same octect data - Signature Valid";
} else {
    echo "Invalid Signature";
}

Expected result:
----------------
Invalid Signature

Actual result:
--------------
Same octect data - Signature Valid

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-01-21 15:45 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 [2009-03-09 18:17 UTC] stas@php.net
Just FYI - this fix breaks SugarCRM version 5.0.0 (which relies on strings like dGVzdA==CRAP to decode correctly) and same may happen to other apps. It's probably their fault but it may be good to know that 5.2.9 works differently there. 
 [2009-03-09 18:18 UTC] stas@php.net
Version 5.2.0.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 05:01:29 2024 UTC