php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #9462 NULL bute eats rest of string
Submitted: 2001-02-26 09:17 UTC Modified: 2001-05-05 14:33 UTC
From: tharbad at kaotik dot org Assigned:
Status: Closed Package: Filesystem function related
PHP Version: 4.0.4pl1 OS: Linux
Private report: No CVE-ID: None
 [2001-02-26 09:17 UTC] tharbad at kaotik dot org
I'm not sure if this is a bug or feature, comments are apreciated.

http://bugs.horde.org/show_bug.cgi?id=621

Example:
<quote>
include($string . ".php");
</quote>
with "magic_quotes_gpc = On" (php.ini) calling test.php?string=test%00
result: Warning: Failed opening 'test\0.php' for inclusion
with "magic_quotes_gpc = Off", same request
result: Warning: Failed opening 'test' for inclusion

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-02-28 23:06 UTC] bbonev@php.net
just error reporting functions are not binary safe. although i do not see a reason to open a file containing a null char in the name - most OSes will get the part before the first null char. lets call it bug because current behav doesn't help enough to track the problem
 [2001-03-01 10:34 UTC] tharbad at kaotik dot org
On my system, with something like:
include($string . ".php");

I'm able to get, for example, /etc/passwd by adding a null byte to the end of $string, causing the include function to ignore the ".php" extension set on the include.

 [2001-05-05 14:33 UTC] derick@php.net
Andi says:
I don't understand why this is a bug. He should code better :) This is how
the OS works or am I missing something?

This is an OS thingy, so I'm closing this.
 
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Sun Mar 26 03:03:47 2023 UTC