|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #47174 base64_decode interprets pad char in mid string as terminator
Submitted: 2009-01-20 21:04 UTC Modified: 2009-03-09 18:18 UTC
From: Assigned: iliaa (profile)
Status: Closed Package: *URL Functions
PHP Version: 5.2.8 OS: *
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
20 + 25 = ?
Subscribe to this entry?

 [2009-01-20 21:04 UTC]
base64_decode handles a pad as the end of data even when it is not 
terminating a string, in which case it really should be handled as non-
alphabet characters. From rfc 3548 2.3: "Furthermore, such 
specifications may consider the pad character, "=", as not part of the 
base alphabet until the end of the string."

By ignoring all data after the pad, it is difficult to work with 
signature based technologies where the base64 
decoded octects must be compared to determine validity. PHP allows for 
additional data to be added to a signature which ends up being ignored 
when compared, while other implementations do not.

Reproduce code:
if (base64_decode("dGVzdA==") == base64_decode("dGVzdA==CRAP")) {
    echo "Same octect data - Signature Valid";
} else {
    echo "Invalid Signature";

Expected result:
Invalid Signature

Actual result:
Same octect data - Signature Valid


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2009-01-21 15:45 UTC]
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

 [2009-03-09 18:17 UTC]
Just FYI - this fix breaks SugarCRM version 5.0.0 (which relies on strings like dGVzdA==CRAP to decode correctly) and same may happen to other apps. It's probably their fault but it may be good to know that 5.2.9 works differently there. 
 [2009-03-09 18:18 UTC]
Version 5.2.0.
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Tue Sep 26 17:01:25 2023 UTC