#25997 [Opn]: Embedded null characters in strings breaks documented behavior of functions.
ID: 25997 User updated by: xodfull at starmen dot net Reported By: xodfull at starmen dot net Status: Open Bug Type: *General Issues Operating System: Linux, Apache. PHP Version: 4.3.3 New Comment: Magic quotes needs to be disabled for this particular example to work. Anyway, I'm using RedHat's build of Linux 2.4.20, with Apache 1.3.28. Previous Comments: [2003-10-27 02:03:03] [EMAIL PROTECTED] I've tested your code with 4.3.3, 4.3.4-CVS, 5-CVS and can't reproduce reasult you get (ip2long returns -1, as expected). Please, give more info about your OS Apache. [2003-10-26 22:32:27] xodfull at starmen dot net Description: ip2long() is supposed to return -1 on an invalid ip address. Because of PHP's method of storing strings, and a careless calling of standard C library functions that use null-terminated strings, it will not return -1 on invalid ip addresses that contain embedded null characters in appropriate places. The function ip2long() generates an IPv4 Internet network address from its Internet standard format (dotted string) representation. If ip_address is invalid than -1 is returned. Note that -1 does not evaluate as FALSE in PHP. Reproduce code: --- if(ip2long($_GET[ip]) != -1) echo($_GET[ip]); http://something.net/somescript.php?ip=127.0.0.1%00bfoo/b Expected result: Arbitrary HTML insertion. Worse effects may be possible depending on the application. -- Edit this bug report at http://bugs.php.net/?id=25997edit=1
#25997 [NEW]: Embedded null characters in strings breaks documented behavior of functions.
From: xodfull at starmen dot net Operating system: Linux, Apache. PHP version: 4.3.3 PHP Bug Type: *General Issues Bug description: Embedded null characters in strings breaks documented behavior of functions. Description: ip2long() is supposed to return -1 on an invalid ip address. Because of PHP's method of storing strings, and a careless calling of standard C library functions that use null-terminated strings, it will not return -1 on invalid ip addresses that contain embedded null characters in appropriate places. The function ip2long() generates an IPv4 Internet network address from its Internet standard format (dotted string) representation. If ip_address is invalid than -1 is returned. Note that -1 does not evaluate as FALSE in PHP. Reproduce code: --- if(ip2long($_GET[ip]) != -1) echo($_GET[ip]); http://something.net/somescript.php?ip=127.0.0.1%00bfoo/b Expected result: Arbitrary HTML insertion. Worse effects may be possible depending on the application. -- Edit bug report at http://bugs.php.net/?id=25997edit=1 -- Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=25997r=trysnapshot4 Try a CVS snapshot (php5): http://bugs.php.net/fix.php?id=25997r=trysnapshot5 Fixed in CVS: http://bugs.php.net/fix.php?id=25997r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=25997r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=25997r=needtrace Try newer version: http://bugs.php.net/fix.php?id=25997r=oldversion Not developer issue:http://bugs.php.net/fix.php?id=25997r=support Expected behavior: http://bugs.php.net/fix.php?id=25997r=notwrong Not enough info:http://bugs.php.net/fix.php?id=25997r=notenoughinfo Submitted twice:http://bugs.php.net/fix.php?id=25997r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=25997r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=25997r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=25997r=dst IIS Stability: http://bugs.php.net/fix.php?id=25997r=isapi Install GNU Sed:http://bugs.php.net/fix.php?id=25997r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=25997r=float
