From: xodfull at starmen dot net Operating system: Linux, Apache. PHP version: 4.3.3 PHP Bug Type: *General Issues Bug description: Embedded null characters in strings breaks documented behavior of functions.
Description: ------------ ip2long() is supposed to return -1 on an invalid ip address. Because of PHP's method of storing strings, and a careless calling of standard C library functions that use null-terminated strings, it will not return -1 on invalid ip addresses that contain embedded null characters in appropriate places. " The function ip2long() generates an IPv4 Internet network address from its Internet standard format (dotted string) representation. If ip_address is invalid than -1 is returned. Note that -1 does not evaluate as FALSE in PHP." Reproduce code: --------------- if(ip2long($_GET[ip]) != -1) echo($_GET[ip]); http://something.net/somescript.php?ip=127.0.0.1%00<b>foo</b> Expected result: ---------------- Arbitrary HTML insertion. Worse effects may be possible depending on the application. -- Edit bug report at http://bugs.php.net/?id=25997&edit=1 -- Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=25997&r=trysnapshot4 Try a CVS snapshot (php5): http://bugs.php.net/fix.php?id=25997&r=trysnapshot5 Fixed in CVS: http://bugs.php.net/fix.php?id=25997&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=25997&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=25997&r=needtrace Try newer version: http://bugs.php.net/fix.php?id=25997&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=25997&r=support Expected behavior: http://bugs.php.net/fix.php?id=25997&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=25997&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=25997&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=25997&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=25997&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=25997&r=dst IIS Stability: http://bugs.php.net/fix.php?id=25997&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=25997&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=25997&r=float