|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-09-02 04:57 UTC] stas@php.net
-Type: Security
+Type: Bug
-Assigned To:
+Assigned To: derick
[2022-05-20 13:55 UTC] derick@php.net
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2022 The PHP GroupAll rights reserved. |
Last updated: Sat May 21 06:03:42 2022 UTC |
Description: ------------ createFromFormat method from DateTime class is sensitive to null-byte injection. According to best practices to verify if date is valid in PHP, the best way is to use DateTime::createFromFormat because it returns false if date isn't valid. This way to verify date is used in many CMS systems (for example, in Drupal). The problem is that DateTime::createFromFormat second parameter is vulnerable to null-byte which can be passed to it when createFromFormat method is used to verify GET or POST param. Here are results if application calls DateTime::createFromFormat('m/d/Y', $_GET['startFrom']); where startFrom=8/8/2016 - will return true startFrom=8/8/2016asd - will return false startFrom=8/8/2016%00asd - will return true It seems to be reliable verification if date is valid and developer might not use htmlspecialchars or real_escape_string after it. This may lead to SQL Injection or XSS. Test script: --------------- <?php function verifyDate($date, $strict = true) { $dateTime = DateTime::createFromFormat('m/d/Y', $date); if ($strict) { $errors = DateTime::getLastErrors(); if (!empty($errors['warning_count'])) { return false; } } return $dateTime !== false; } if(!empty($_GET['startFrom']) && verifyDate($_GET['startFrom'])) { // query to database without escaping $_GET['startFrom'] // because it has passed verification of valid date } // tests var_dump(verifyDate('asd')); // false var_dump(verifyDate('8/8/2016')); // true var_dump(verifyDate('8/8/2016asdasd')); // false var_dump(verifyDate("8/8/2016\x00asdasd")); // true ?>