php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #60395 Null byte in source causes file to be ignored, no error or warning reported
Submitted: 2011-11-26 23:17 UTC Modified: 2011-11-28 15:24 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:1 (50.0%)
From: nh at ngin dot de Assigned:
Status: Open Package: Unknown/Other Function
PHP Version: Irrelevant OS: any
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2011-11-26 23:17 UTC] nh at ngin dot de
Description:
------------
NULL bytes in the source code seem to confuse PHP. See test script below. The 
code in the file is not executed, and no error or warning is shown.

The result is the same if you run it from the command line or from a web server 
(ruling out a web server problem).

This bug has been discovered on MacOS X (10.6.8) with a default, unpatched PHP 
5.3.6; but it has been reproduced (so far) as well on Debian 2.6.26-2 with the 
most recent version of PHP.

It does not matter where the null byte(s) is/are placed. They can even be inside 
a comment!

I discovered this bug by accident as I had inadvertently copied a NULL-byte into 
a comment inside a file that I was require()'ing from elsewhere. The require()'d 
code was not run, but, even with error_reporting(-1), no warning or error 
message was displayed. I couldn't figure out what was wrong until I looked at 
the file with a text editor that can make non-printing characters visible. 
Removing the NULL byte fixed the problem.

Test script:
---------------
This is a 1-line PHP script that contains a single NULL byte:
http://dl.dropbox.com/u/257587/test.php

Just showing printable chars, the contents of this file is:
<?php echo "Hi"; ?>

The NULL byte is located after the closing semicolon. (However, the exact location is irrelevant in order to reproduce the bug.)

Expected result:
----------------
The string 'Hi' should be output.

Actual result:
--------------
Instead, PHP outputs a number of non-printing characters (usually shown as 
question marks). Depending on the position and number of NULL bytes in the source 
code, the output may also be nothing at all.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-11-28 05:52 UTC] laruence@php.net
you must compile your php with zend-multibyte supporting. 

try this, php -ddetect_unicode = 0 test.php

I think this is not a bug,  but a side-effect of zend multibyte auto-unicode-
detection :)
 [2011-11-28 05:53 UTC] laruence@php.net
sorry, I mean, you must compiled your php with zend-multibyte supprot.  :)
 [2011-11-28 14:23 UTC] nh at ngin dot de
Well, but since it occurs with the default (factory) config/installation of at 
least two systems, it could be considered a bug. In either way, the behaviour that 
is observed is unexpected, and at least some kind of warning/informational message 
should be output.
 [2011-11-28 14:25 UTC] nh at ngin dot de
Oh and BTW, zend_multibyte *is* enabled in my install.

Configure Command =>  '/private/var/tmp/apache_mod_php/apache_mod_php-
53.6~2/php/configure'  '--prefix=/usr' '--mandir=/usr/share/man' '--
infodir=/usr/share/info' '--disable-dependency-tracking' '--
sysconfdir=/private/etc' '--with-apxs2=/usr/sbin/apxs' '--enable-cli' '--with-
config-file-path=/etc' '--with-libxml-dir=/usr' '--with-openssl=/usr' '--with-
kerberos=/usr' '--with-zlib=/usr' '--enable-bcmath' '--with-bz2=/usr' '--enable-
calendar' '--with-curl=/usr' '--enable-exif' '--enable-ftp' '--with-gd' '--with-
jpeg-dir=/BinaryCache/apache_mod_php/apache_mod_php-53.6~2/Root/usr/local' '--
with-png-dir=/BinaryCache/apache_mod_php/apache_mod_php-53.6~2/Root/usr/local' 
'--enable-gd-native-ttf' '--with-ldap=/usr' '--with-ldap-sasl=/usr' '--enable-
mbstring' '--enable-mbregex' '--with-mysql=mysqlnd' '--with-mysqli=mysqlnd' '--
with-pdo-mysql=mysqlnd' '--with-mysql-sock=/var/mysql/mysql.sock' '--without-
pear' '--with-iodbc=/usr' '--enable-shmop' '--with-snmp=/usr' '--enable-soap' '-
-enable-sockets' '--enable-sysvmsg' '--enable-sysvsem' '--enable-sysvshm' '--
enable-wddx' '--with-xmlrpc' '--with-iconv-dir=/usr' '--with-xsl=/usr' '--
enable-zend-multibyte' '--enable-zip' '--with-pcre-regex=/usr'
 [2011-11-28 15:24 UTC] laruence@php.net
yes, my english is a little poor, I meant that because you have compiled your php 
with zend muiltbyte enabled, so the NULL byte in the script trigger  auto-detect-
unicode mechanism.

so you can suppress this mechanism by -d detect_unicode=Off (or configed in 
php.ini).

thanks :)
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Mon Oct 21 20:01:28 2019 UTC