php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72963 Null-byte injection in createFromFormat
Submitted: 2016-08-29 11:24 UTC Modified: 2022-05-20 13:55 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: qoqe at inbox dot lv Assigned: derick (profile)
Status: Closed Package: Date/time related
PHP Version: 7.0.10 OS: Linux, Windows
Private report: No CVE-ID: None
 [2016-08-29 11:24 UTC] qoqe at inbox dot lv
Description:
------------
createFromFormat method from DateTime class is sensitive to null-byte injection. 

According to best practices to verify if date is valid in PHP, the best way is to use DateTime::createFromFormat because it returns false if date isn't valid. This way to verify date is used in many CMS systems (for example, in Drupal).

The problem is that DateTime::createFromFormat second parameter is vulnerable to null-byte which can be passed to it when createFromFormat method is used to verify GET or POST param.

Here are results if application calls DateTime::createFromFormat('m/d/Y', $_GET['startFrom']); where

startFrom=8/8/2016 - will return true
startFrom=8/8/2016asd - will return false
startFrom=8/8/2016%00asd - will return true

It seems to be reliable verification if date is valid and developer might not use htmlspecialchars or real_escape_string after it. This may lead to SQL Injection or XSS.



Test script:
---------------
 <?php
 
    function verifyDate($date, $strict = true) {
        $dateTime = DateTime::createFromFormat('m/d/Y', $date);
        if ($strict) {
            $errors = DateTime::getLastErrors();
            if (!empty($errors['warning_count'])) {
                return false;
            }
        }
        return $dateTime !== false;
    }
    
    if(!empty($_GET['startFrom']) && verifyDate($_GET['startFrom'])) {
    
        // query to database without escaping $_GET['startFrom']
        // because it has passed verification of valid date
    
    }
    
    // tests
    
    var_dump(verifyDate('asd')); // false
    var_dump(verifyDate('8/8/2016')); // true
    var_dump(verifyDate('8/8/2016asdasd')); // false
    var_dump(verifyDate("8/8/2016\x00asdasd")); // true
 
 ?>


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-02 04:57 UTC] stas@php.net
-Type: Security +Type: Bug -Assigned To: +Assigned To: derick
 [2022-05-26 14:20 UTC] git@php.net
Automatic comment on behalf of derickr
Revision: https://github.com/php/php-src/commit/2dcd82162e822e189fea17ac2f88bb53e06023a1
Log: Fixed bug #72963 (Null-byte injection in CreateFromFormat and related functions)
 [2022-05-26 14:20 UTC] git@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Nov 23 07:01:29 2024 UTC