php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #79618 PHP: checkdate does not validate input
Submitted: 2020-05-21 18:42 UTC Modified: 2020-05-21 18:46 UTC
From: adam dot engle at adventhealth dot com Assigned:
Status: Not a bug Package: Date/time related
PHP Version: 7.4.6 OS: Unix/OSX
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2020-05-21 18:42 UTC] adam dot engle at adventhealth dot com 
Description:
------------
---
From manual page: https://php.net/function.checkdate
---

echo "<?php var_dump(checkdate(12, 31, '2000<script>alert(1)</script>'));" | php
bool(true)

echo "<?php var_dump(checkdate('12<script>alert(1)</script>', 31, 2000));" | php
bool(true)

Test script:
---------------
<?php
//Assume year is received via unvalidated input
$post_year_val = '2000<script>alert(1)</script>';
if (!checkdate(12, 1, $post_year_val)) {
        $nowArray = getdate();
        $month = $nowArray['mon'];
        $year = $nowArray['year'];
} else {
        $month = 12;
        $year = $post_year_val;
}

$display_block = "<html><head/><body>";
$calendardate = $year."-".$month."-01";
$display_block .= $calendardate;
$display_block .= '</body></html>';

echo $display_block;

Expected result:
----------------
If input is not a valid integer as an input parameter, the function should fail closed, returning false.  Otherwise, unintended consequences could result if a developer assumes the input provided to this function creates a valid date.

Actual result:
--------------
PHP 7.4.6 does provide a notice that it did not receive a well-formed int, however, it continues processing anyway if a date can be devised from the string, failing open and returning true.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-05-21 18:46 UTC] peehaa@php.net
-Status: Open +Status: Not a bug
 [2020-05-21 18:46 UTC] peehaa@php.net 
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

PHP casts the data.

For more information see https://www.php.net/manual/en/language.types.type-juggling.php and https://www.php.net/manual/en/functions.arguments.php#functions.arguments.type-declaration.strict
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri May 03 18:01:34 2024 UTC