ID: 47174 Updated by: s...@php.net Reported By: rricha...@php.net Status: Closed Bug Type: *URL Functions Operating System: * PHP Version: 5.2.8 Assigned To: iliaa New Comment:
Just FYI - this fix breaks SugarCRM version 5.0.0 (which relies on strings like dGVzdA==CRAP to decode correctly) and same may happen to other apps. It's probably their fault but it may be good to know that 5.2.9 works differently there. Previous Comments: ------------------------------------------------------------------------ [2009-01-21 15:45:53] il...@php.net This bug has been fixed in CVS. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. ------------------------------------------------------------------------ [2009-01-20 21:04:03] rricha...@php.net Description: ------------ base64_decode handles a pad as the end of data even when it is not terminating a string, in which case it really should be handled as non- alphabet characters. From rfc 3548 2.3: "Furthermore, such specifications may consider the pad character, "=", as not part of the base alphabet until the end of the string." By ignoring all data after the pad, it is difficult to work with signature based technologies where the base64 decoded octects must be compared to determine validity. PHP allows for additional data to be added to a signature which ends up being ignored when compared, while other implementations do not. Reproduce code: --------------- if (base64_decode("dGVzdA==") == base64_decode("dGVzdA==CRAP")) { echo "Same octect data - Signature Valid"; } else { echo "Invalid Signature"; } Expected result: ---------------- Invalid Signature Actual result: -------------- Same octect data - Signature Valid ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=47174&edit=1
