php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #67069 substr_compare() returns incorrect results when using default length
Submitted: 2014-04-13 22:42 UTC Modified: 2014-04-13 23:06 UTC
From: nachms+php at gmail dot com Assigned:
Status: Duplicate Package: Strings related
PHP Version: 5.5.11 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: nachms+php at gmail dot com
New email:
PHP Version: OS:

 

 [2014-04-13 22:42 UTC] nachms+php at gmail dot com
Description:
------------
PHP in 5.5.11 is returning incorrect results from substr_compare() when length is left as the default setting. In 5.5.10, it worked correctly.

String checks returning equal when they are not equal is a security hole. Any application checking the end of a string to equal something, perhaps a user name, password, perhaps the extension on file types, or other file paths, is now going to think things are equal when they in fact are not.

The documentation for this function: http://php.net/manual/en/function.substr-compare.php
States if the length parameter is not passed:
"The default value is the largest of the length of the str compared to the length of main_str less the offset."

Or in other words, max(main_str - offset, str), meaning it compares for whatever amount is left over in in the two strings.

However, in the included test, it seems lenth is always being set to 0.


Test script:
---------------
<?php
echo substr_compare('Cows',  'ws',  2), "\n";
echo substr_compare('Cows',  'ws',  -2), "\n";
echo substr_compare('Cows',  'ows',  3), "\n";
echo substr_compare('Cows',  'ows',  -3), "\n";
echo substr_compare('Cows',  'aws',  3), "\n";
echo substr_compare('Cows',  'aws',  -3), "\n";

Expected result:
----------------
0
0
4
0
18
14

Actual result:
--------------
0
0
0
0
0
0

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-04-13 22:53 UTC] stas@php.net
-Type: Security +Type: Bug
 [2014-04-13 23:06 UTC] stas@php.net
-Status: Open +Status: Duplicate
 [2014-04-13 23:06 UTC] stas@php.net
Looks like dupe of #67043, at least I am not seeing problems after the fix is applied. Please reopen if you still see it after updating to latest code.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sun Nov 17 18:01:33 2019 UTC