Hello,
`base_convert` converts between numerical bases, such as from decimal to hex.
It stores an intermediate result in a double, and thus loses precision for big
numbers. This is a problem when used on big numbers in security contexts. This
semi-often happens when users want to create a "nice" random token:
$token = base_convert(bin2hex(random_bytes(16)), 16, 36));
// "7nr0r976rl8o4wkwkkkcc84og"
This looks like a nice random string, but converting it back to hex shows that
it is actually mostly zero:
var_dump(base_convert("7nr0r976rl8o4wkwkkkcc84og", 36, 16));
// "8161d6d5f47bb0000000000000000000"
Should base_convert raise a notice or warning when it cannot convert a number
precisely? On one hand, silent conversion to floating point is just fact of
life for PHP. But I would argue that in this case it is unexpected because both
the input and output are strings. The loss of precision is documented in the
manual, but it is not obvious from the result, and it has clear security
impact. What do you think?
Regards,
Sjoerd Langkemper