|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #64439 \0 causes error_log strings to be truncated
Submitted: 2013-03-16 06:03 UTC Modified: 2021-07-19 14:00 UTC
Avg. Score:3.3 ± 0.5
Reproduced:3 of 3 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: eric at wepay dot com Assigned: cmb (profile)
Status: Closed Package: *General Issues
PHP Version: 5.4.13 OS: CentOS
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: eric at wepay dot com
New email:
PHP Version: OS:


 [2013-03-16 06:03 UTC] eric at wepay dot com
A string containing "\0" passed into error_log() causes the message to be 
truncated after that character. This is especially apparent when a log message 
contains a serialized object which has private properties, as their serialization 
key is \0classname\0propname.

file_put_contents is not affected, nor is using error_log with the destination 
parameter; only when using the ini setting.

Digging around through source, it looks like it's caused by the use of c strlen() 
in xbuf_format_converter (main/spprintf.c:576) which assumes null-terminated 
strings, called by vspprintf() -> ssprintf() -> php_log_err()

Happens in 5.4.x as well as a just-built git master 5.6.0-dev

Test script:

class a {
	private $b = 'c';
$obj = new a;
$str = serialize($obj);

ini_set('error_log', '/Users/eric/Desktop/error_log.log');
error_log($str); // truncated
file_put_contents('/Users/eric/Desktop/fpc.log', $str); // ok
error_log($str, 3, '/Users/eric/Desktop/error_log_param.log'); // ok

Expected result:
All three files should contain the following string:


(note that "ab" is actually "\0a\0b")

Hex dump:
4F 3A 31 3A 22 61 22 3A 31 3A 7B 73 3A 34 3A 22 00 61 00 62 22 3B 73 3A 31 3A 22 
63 22 3B 7D

Actual result:
error_log.log contains only the following:

[16-Mar-2013 04:23:06 UTC] O:1:"a":1:{s:4:"

(the timestamp is not relevant)
4F 3A 31 3A 22 61 22 3A 31 3A 7B 73 3A 34 3A 22 0A

The other two files (error_log_param.log, fpc.log) correctly record the full 


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2013-03-19 11:41 UTC]
hmm, yes, error_log is not binary safe.

and fix that need a huge work, all sapi's log message need to be updated. and also 
send mail, log to file related apis

a workaround could be done at user side.
 [2013-10-24 05:28 UTC]
-Type: Bug +Type: Documentation Problem -Package: Scripting Engine problem +Package: Documentation problem
 [2013-10-24 05:28 UTC]
This should be documented.
 [2013-10-24 05:30 UTC]
Automatic comment from SVN on behalf of yohgaki
Log: Fixed Doc Bug #64439 \0 causes error_log strings to be truncated
 [2013-10-30 00:42 UTC] spam2 at rhsoft dot net
this is also *security relevant*
simply strip or escape control chars and you are done
study the mod_security code, they know how to escape log lines
 [2013-11-01 06:34 UTC]
-Type: Documentation Problem +Type: Feature/Change Request -Package: Documentation problem +Package: *General Issues
 [2013-11-01 06:34 UTC]
Thanks for the info, but I knew this kind of attack can be done.

Anyway, even if we made logging binary safe, there would be other problems. We cannot simply escape special chars because it may broke log analyzers. It's possible escape special chars, but it would not happen in released version.

There is developer working on this issue. Changed bug type.
 [2016-09-04 14:22 UTC] yonelceruto at gmail dot com
I've faced with this issue too, so my question is: Why "\0" character is dumped when private or protected properties are serialized ? It is needed for unserialize process?
 [2021-07-19 14:00 UTC]
-Status: Open +Status: Closed -Assigned To: +Assigned To: cmb
 [2021-07-19 14:00 UTC]
This issue is fixed as of PHP 8.1.0[1].  Note that
syslog.filter[2] already allows to escape characters as of PHP

[1] <>
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sat Jul 31 06:01:24 2021 UTC