#43162 [Com]: GET date variable name not binary-safe on null bytes

Thu, 01 Nov 2007 06:45:38 -0800 

 ID:               43162
 Comment by:       carsten_sttgt at gmx dot de
 Reported By:      ryat at wolvez dot org
 Status:           Feedback
 Bug Type:         *General Issues
 Operating System: Ubuntu7.10
 PHP Version:      5.2.4
 New Comment:

> And why would you want to pass null byte in the parameter name?
Because it's allowed to use "%00" in a query_string ;-) In
$_SERVER['QUERY_STRING'] you have the correct value.

It's also allowed, and works, to use "\0" as array key:
| $a = array("a\0aaaa" => "test");
| echo $a["a\0aaaa"].PHP_EOL;
| echo strlen(key($a));
prints:
| test
| 6

This also works:
| $s = 'a%00aaaa=test';
| $s = rawurldecode($s);
| $t = explode('=', $s);
| $a[$t[0]] = $t[1];
| unset($t);
| var_dump($a);

But this not:
| $s = 'a%00aaaa=test';
| $s = rawurldecode($s);
| parse_str($s, $a);
| var_dump($a);

Maybe the problem is:
With a possible "register_globals = on" or only "parse_str($s);", you
have an illegal variable name?

So, that is a bug, but maybe a "won't fix" and should be described in
the manual?

Regards,
Carsten


Previous Comments:
------------------------------------------------------------------------

[2007-11-01 11:46:29] zizzy at wolvez dot org

I want to know is this is bug?

------------------------------------------------------------------------

[2007-11-01 09:25:46] [EMAIL PROTECTED]

And why would you want to pass null byte in the parameter name? 


------------------------------------------------------------------------

[2007-11-01 08:32:21] ryat at wolvez dot org

Replenish other example

magic_quotes_gpc=on

http://127.0.0.1/test/test3.php?a%00aaaa=a%00aaaa

Array ( [a] => a\0aaaa )

magic_quotes_gpc=off

http://127.0.0.1/test/test3.php?a%00aaaa=a%00aaaa

Array ( [a] => aaaaa )

------------------------------------------------------------------------

[2007-10-31 17:01:40] ryat at wolvez dot org

Hihi,pay attention to:

magic_quotes_gpc=on

http://127.0.0.1/test.php?a'aaaa=test

Actual result:
--------------
Array ( [a\'aaaa] => test )


http://127.0.0.1/test.php?a%00aaaa=test

Actual result:
--------------
Array ( [a] => test )

------------------------------------------------------------------------

[2007-10-31 16:41:14] crescentfreshpot at yahoo dot com

php is written in C. In C the null byte represents the end of a string.
I don't think php can work around this.

------------------------------------------------------------------------

The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
    http://bugs.php.net/43162

-- 
Edit this bug report at http://bugs.php.net/?id=43162&edit=1

Reply via email to