From: wharmby at uk dot ibm dot com
Operating system: Windows XP
PHP version: 5.2.6RC5
PHP Bug Type: Scripting Engine problem
Bug description: htmlspecialchars() does not detect bad character set argument
Description:
------------
htmlspecialchars() does not always detect bad character set argument.
Problem in the following code around line 850 of ext/standard/html.c:
det_charset:
if (charset_hint) {
int found = 0;
/* now walk the charset map and look for the codeset */
for (i = 0; charset_map[i].codeset; i++) {
if (strncasecmp(charset_hint, charset_map[i].codeset,
len) == 0) {
charset = charset_map[i].charset;
found = 1;
break;
}
}
This uses "len" as the maximum comparison length which is the length
of the input charset hint. If this happens to match the first few
characters of a VALID charset then the code fails to detect a bad
charset. For example a charset_hint of "125" is allowed as it matches
the first 3 characters of a valid charset; namely "1252".
If code is changed as follows to check the length as are equal first
then the problem is resolved.
for (i = 0; charset_map[i].codeset; i++) {
if (len == strlen(charset_map[i].codeset) &&
strncasecmp(charset_hint,
charset_map[i].codeset, len) == 0) {
charset = charset_map[i].charset;
found = 1;
break;
}
}
Reproduce code:
---------------
<?php
var_dump( htmlspecialchars("<a href='test'>Test</a>", ENT_COMPAT, 1) );
var_dump( htmlspecialchars("<a href='test'>Test</a>", ENT_COMPAT, 12) );
var_dump( htmlspecialchars("<a href='test'>Test</a>", ENT_COMPAT, 125) );
var_dump( htmlspecialchars("<a href='test'>Test</a>", ENT_COMPAT, 1252)
);
var_dump( htmlspecialchars("<a href='test'>Test</a>", ENT_COMPAT, 12526)
);
?>
===Done===
Expected result:
----------------
PHP Warning: htmlspecialchars(): charset `1' not supported, assuming
iso-8859-1 in <path to t/c>
string(35) "<a href='test'>Test</a>"
PHP Warning: htmlspecialchars(): charset `12' not supported, assuming
iso-8859-1 in <path to t/c>
string(35) "<a href='test'>Test</a>"
PHP Warning: htmlspecialchars(): charset `125' not supported, assuming
iso-8859-1 in <path to t/c>
string(35) "<a href='test'>Test</a>"
string(35) "<a href='test'>Test</a>"
PHP Warning: htmlspecialchars(): charset `12526' not supported, assuming
iso-8859-1 in <path to t/c>
string(35) "<a href='test'>Test</a>"
===Done===
Actual result:
--------------
string(35) "<a href='test'>Test</a>"
string(35) "<a href='test'>Test</a>"
string(35) "<a href='test'>Test</a>"
string(35) "<a href='test'>Test</a>"
PHP Warning: htmlspecialchars(): charset `12526' not supported, assuming
iso-8859-1 in <path to t/c>
string(35) "<a href='test'>Test</a>"
===Done===
--
Edit bug report at http://bugs.php.net/?id=44703&edit=1
--
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=44703&r=trysnapshot52
Try a CVS snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=44703&r=trysnapshot53
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=44703&r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=44703&r=fixedcvs
Fixed in release:
http://bugs.php.net/fix.php?id=44703&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=44703&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=44703&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=44703&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=44703&r=support
Expected behavior: http://bugs.php.net/fix.php?id=44703&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=44703&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=44703&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=44703&r=globals
PHP 4 support discontinued: http://bugs.php.net/fix.php?id=44703&r=php4
Daylight Savings: http://bugs.php.net/fix.php?id=44703&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=44703&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=44703&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=44703&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=44703&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=44703&r=mysqlcfg
