From: tsteinbr at igd dot fraunhofer dot de
Operating system: Linux (Debian 3.1)
PHP version: 5.1.4
PHP Bug Type: HTTP related
Bug description: Binary data gets corrupted on multipart/formdata POST
Description:
------------
Binary data supplied from the client via multipart/formdata POST (rfc1867)
gets corrupted. Data will be truncated at the first occurence of a zero
byte.
Reproduce code:
---------------
We post a variable called "mydata" containing "test\0test" (test, binary
zero, test). This data is 9 bytes long.
We use the following PHP code to dump all submitted POST data:
var_dump($_POST);
Here's a hex dump of the POST:
0000: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d ----------------
0010: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 64 35 --------------d5
0020: 66 34 30 63 31 30 63 39 32 66 0d 0a 43 6f 6e 74 f40c10c92f..Cont
0030: 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a ent-Disposition:
0040: 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 form-data; name
0050: 3d 22 6d 79 64 61 74 61 22 0d 0a 0d 0a 74 65 73 ="mydata"....tes
0060: 74 00 74 65 73 74 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d t.test..--------
0070: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d ----------------
0080: 2d 2d 2d 2d 2d 2d 64 35 66 34 30 63 31 30 63 39 ------d5f40c10c9
0090: 32 66 2d 2d 0d 0a 2f--
And here's C code (using libcurl) that will generate such a request, which
is perfectly RFC1867 compliant:
curl_formadd(&post, &last,
CURLFORM_COPYNAME, "mydata",
CURLFORM_PTRCONTENTS, "test\0test",
CURLFORM_CONTENTSLENGTH, 9,
CURLFORM_END);
Expected result:
----------------
array(1) {
["mydata"]=>
string(9) "test"
}
Actual result:
--------------
array(1) {
["mydata"]=>
string(4) "test"
}
Note: The problem can by worked around by using Base64 encoding, etc, but
that's not the point. RFC1867 was created for providing a method of
sending large quantities of binary data or text containing non-ASCII
characters, without the need for inefficient coding.
--
Edit bug report at http://bugs.php.net/?id=38236&edit=1
--
Try a CVS snapshot (PHP 4.4):
http://bugs.php.net/fix.php?id=38236&r=trysnapshot44
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=38236&r=trysnapshot52
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=38236&r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=38236&r=fixedcvs
Fixed in release:
http://bugs.php.net/fix.php?id=38236&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=38236&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=38236&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=38236&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=38236&r=support
Expected behavior: http://bugs.php.net/fix.php?id=38236&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=38236&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=38236&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=38236&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=38236&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=38236&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=38236&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=38236&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=38236&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=38236&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=38236&r=mysqlcfg
