PHP :: Bug #72963 :: Null-byte injection in createFromFormat

Bug #72963

Null-byte injection in createFromFormat

Submitted:

2016-08-29 11:24 UTC

Modified:

2022-05-20 13:55 UTC

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

qoqe at inbox dot lv

Assigned:

derick (profile)

Status:

Closed

Package:

Date/time related

PHP Version:

7.0.10

OS:

Linux, Windows

Private report:

CVE-ID:

None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	qoqe at inbox dot lv
New email:
PHP Version:		OS:

New/Additional Comment:

[2016-08-29 11:24 UTC] qoqe at inbox dot lv

Description:
------------
createFromFormat method from DateTime class is sensitive to null-byte injection. 

According to best practices to verify if date is valid in PHP, the best way is to use DateTime::createFromFormat because it returns false if date isn't valid. This way to verify date is used in many CMS systems (for example, in Drupal).

The problem is that DateTime::createFromFormat second parameter is vulnerable to null-byte which can be passed to it when createFromFormat method is used to verify GET or POST param.

Here are results if application calls DateTime::createFromFormat('m/d/Y', $_GET['startFrom']); where

startFrom=8/8/2016 - will return true
startFrom=8/8/2016asd - will return false
startFrom=8/8/2016%00asd - will return true

It seems to be reliable verification if date is valid and developer might not use htmlspecialchars or real_escape_string after it. This may lead to SQL Injection or XSS.



Test script:
---------------
 <?php
 
    function verifyDate($date, $strict = true) {
        $dateTime = DateTime::createFromFormat('m/d/Y', $date);
        if ($strict) {
            $errors = DateTime::getLastErrors();
            if (!empty($errors['warning_count'])) {
                return false;
            }
        }
        return $dateTime !== false;
    }
    
    if(!empty($_GET['startFrom']) && verifyDate($_GET['startFrom'])) {
    
        // query to database without escaping $_GET['startFrom']
        // because it has passed verification of valid date
    
    }
    
    // tests
    
    var_dump(verifyDate('asd')); // false
    var_dump(verifyDate('8/8/2016')); // true
    var_dump(verifyDate('8/8/2016asdasd')); // false
    var_dump(verifyDate("8/8/2016\x00asdasd")); // true
 
 ?>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-09-02 04:57 UTC] stas@php.net

-Type: Security +Type: Bug -Assigned To: +Assigned To: derick

[2022-05-20 13:55 UTC] derick@php.net

https://github.com/php/php-src/pull/8593

[2022-05-26 14:20 UTC] git@php.net

Automatic comment on behalf of derickr
Revision: https://github.com/php/php-src/commit/2dcd82162e822e189fea17ac2f88bb53e06023a1
Log: Fixed bug #72963 (Null-byte injection in CreateFromFormat and related functions)

[2022-05-26 14:20 UTC] git@php.net

-Status: Assigned +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Jul 01 09:01:34 2025 UTC