php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #67069 substr_compare() returns incorrect results when using default length
Submitted: 2014-04-13 22:42 UTC Modified: 2014-04-13 23:06 UTC
From: nachms+php at gmail dot com Assigned:
Status: Duplicate Package: Strings related
PHP Version: 5.5.11 OS: Linux
Private report: No CVE-ID: None
 [2014-04-13 22:42 UTC] nachms+php at gmail dot com
Description:
------------
PHP in 5.5.11 is returning incorrect results from substr_compare() when length is left as the default setting. In 5.5.10, it worked correctly.

String checks returning equal when they are not equal is a security hole. Any application checking the end of a string to equal something, perhaps a user name, password, perhaps the extension on file types, or other file paths, is now going to think things are equal when they in fact are not.

The documentation for this function: http://php.net/manual/en/function.substr-compare.php
States if the length parameter is not passed:
"The default value is the largest of the length of the str compared to the length of main_str less the offset."

Or in other words, max(main_str - offset, str), meaning it compares for whatever amount is left over in in the two strings.

However, in the included test, it seems lenth is always being set to 0.


Test script:
---------------
<?php
echo substr_compare('Cows',  'ws',  2), "\n";
echo substr_compare('Cows',  'ws',  -2), "\n";
echo substr_compare('Cows',  'ows',  3), "\n";
echo substr_compare('Cows',  'ows',  -3), "\n";
echo substr_compare('Cows',  'aws',  3), "\n";
echo substr_compare('Cows',  'aws',  -3), "\n";

Expected result:
----------------
0
0
4
0
18
14

Actual result:
--------------
0
0
0
0
0
0

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-04-13 22:53 UTC] stas@php.net
-Type: Security +Type: Bug
 [2014-04-13 23:06 UTC] stas@php.net
-Status: Open +Status: Duplicate
 [2014-04-13 23:06 UTC] stas@php.net
Looks like dupe of #67043, at least I am not seeing problems after the fix is applied. Please reopen if you still see it after updating to latest code.
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Fri Dec 04 07:01:23 2020 UTC