|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70277 new DateTimeZone($foo) is ignoring text after null byte
Submitted: 2015-08-15 13:21 UTC Modified: 2015-08-17 14:04 UTC
From: lukas at owncloud dot com Assigned: derick (profile)
Status: Closed Package: timezonedb (PECL)
PHP Version: 5.6.12 OS: *
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: lukas at owncloud dot com
New email:
PHP Version: OS:


 [2015-08-15 13:21 UTC] lukas at owncloud dot com
While reviewing the PHP source code of a third-party application  I stumbled upon the fact that "new DateTimeZone" is not handling the Null-Byte as an error situation.

In this specific case it lead to a vulnerability since the security model was mostly relying on input validation instead of output sanitization (the data was then used in another exploitable context such as not using PDO etc.). Thus I filed this as security relevant bug.
(besides the fact that an actual exploitation obviously requires some other bug in the application as well)

That said, if the PHP team decides that this does not warrant to be handled as security potential issue I'm completely fine with that as the application in question has been fixed.

Test script:

function isValidTimeZone($zone) {
	    new DateTimeZone($zone);
	} catch(Exception $e) {
	    return false;
	return true;

var_dump(isValidTimeZone('Europe/Zurich')); // TRUE, as expected
var_dump(isValidTimeZone('Europe/Zurich/Foo')); // False, as expected
var_dump(isValidTimeZone("Europe/Zurich\0Foo")); // True, should be false

Expected result:
new DateTimeZone("Europe/Zurich\0Foo") should throw an exception

Actual result:
"Europe/Zurich" is used as timezone


0001-Fix-70277-new-DateTimeZone-foo-is-ignoring-text-afte (last revision 2015-08-16 12:49 UTC by

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2015-08-16 07:40 UTC]
-Assigned To: +Assigned To: derick
 [2015-08-16 07:42 UTC]
-Type: Security +Type: Bug
 [2015-08-16 07:42 UTC]
This doesn't look like security issue to me. For every bug you can invent code like this: if(bugPresent()) { return 1; } else { return 0; } and then invent code which makes security decisions based on if the code above returns 0 or 1. However, that would make "security" classification meaningless, as every bug becomes security bug.
 [2015-08-16 12:48 UTC]
-Status: Assigned +Status: Analyzed -Operating System: Linux +Operating System: *
 [2015-08-16 12:48 UTC]
Indeed, the DateTimeZone constructors are not binary safe. They're
parsing the timezone as string, but discard the length when
calling timezone_initialize(). It seems to be appropriate to add a
tz_len parameter and a respective check to timezone_initialize(),
see the attached patch (`git am` against master).
 [2015-08-16 12:49 UTC]
The following patch has been added/updated:

Patch Name: 0001-Fix-70277-new-DateTimeZone-foo-is-ignoring-text-afte
Revision:   1439729384
 [2015-08-16 15:41 UTC]
The patch has white space issues in the first block.
 [2015-08-17 14:04 UTC]
I've submitted PR #1474 <>.
 [2015-08-17 17:36 UTC]
Automatic comment on behalf of
Log: Fix #70277: new DateTimeZone($foo) is ignoring text after null byte
 [2015-08-17 17:36 UTC]
-Status: Analyzed +Status: Closed
 [2015-08-18 16:24 UTC]
Automatic comment on behalf of
Log: Fix #70277: new DateTimeZone($foo) is ignoring text after null byte
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue May 28 21:01:31 2024 UTC