php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #49785 htmlspecialchars() should check byte sequence more strictly
Submitted: 2009-10-06 11:40 UTC Modified: 2009-10-19 09:16 UTC
From: hello at iwamot dot com Assigned: moriyoshi
Status: Closed Package: Strings related
PHP Version: 5.3.0 OS: *
Private report: No CVE-ID:
 [2009-10-06 11:40 UTC] hello at iwamot dot com
Description:
------------
Suppose htmlspecialchars() should check byte sequence more strictly for security reasons. An XSS exploit code has been unveiled.
http://d.hatena.ne.jp/t_komura/20091004/1254665511 [ja]

I wrote a primitive patch.
http://iwamot.com/misc/html.c.patch.20091006
I don't know whether it is useful though :)

Reproduce code:
---------------
// overlong UTF-8 sequence
echo htmlspecialchars("A\xC0\xAF&",     ENT_QUOTES, 'UTF-8');
// invalid Shift_JIS sequence
echo htmlspecialchars("B\x80&",         ENT_QUOTES, 'Shift_JIS');
echo htmlspecialchars("C\x81\x7f&",     ENT_QUOTES, 'Shift_JIS');
// invalid EUC-JP sequence
echo htmlspecialchars("D\x80&",         ENT_QUOTES, 'EUC-JP');
echo htmlspecialchars("E\xA1\xFF&",     ENT_QUOTES, 'EUC-JP');
echo htmlspecialchars("F\x8E\xFF&",     ENT_QUOTES, 'EUC-JP');
echo htmlspecialchars("G\x8F\xA1\xFF&", ENT_QUOTES, 'EUC-JP');

Expected result:
----------------
output nothing

Actual result:
--------------
A_&B_&C&D_&E__&F__&G___&
("_" means an invalid byte)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-10-09 10:02 UTC] svn@php.net
Automatic comment from SVN on behalf of moriyoshi
Revision: http://svn.php.net/viewvc/?view=revision&revision=289411
Log: - Fixed bug #49785 (insufficient input string validation of htmlspecialchars()).
 [2009-10-09 10:03 UTC] moriyoshi@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 [2009-10-12 14:25 UTC] svn@php.net
Automatic comment from SVN on behalf of moriyoshi
Revision: http://svn.php.net/viewvc/?view=revision&revision=289565
Log: - Bug #49785: take 3 - fixed infinite loop bug (only for 5.2) (reported by T.Komura. Thanks)
 [2009-10-12 14:29 UTC] svn@php.net
Automatic comment from SVN on behalf of moriyoshi
Revision: http://svn.php.net/viewvc/?view=revision&revision=289567
Log: - Bug #49785: take 4 - typo. this flaw is unharmful since the return value of get_next_char() is only used when UTF-8 is specified to the third argument.
 [2009-10-13 05:18 UTC] svn@php.net
Automatic comment from SVN on behalf of moriyoshi
Revision: http://svn.php.net/viewvc/?view=revision&revision=289605
Log: - Bug #49785: take 5. What the hell happened to me...
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 16 10:02:09 2014 UTC