diff options
| author | Lauri Kenttä <lauri.kentta@gmail.com> | 2016-07-11 12:40:08 +0300 |
|---|---|---|
| committer | Nikita Popov <nikic@php.net> | 2016-07-22 18:03:56 +0200 |
| commit | 5c62f3f68e38dd12a8e2f590f5f52d11d0aad8a6 (patch) | |
| tree | 36438ea118c92a91bf78f5b026415c8fb8f5f147 | |
| parent | 586a0761ff5e2bd1befcc35119f833fd32f6597e (diff) | |
| download | php-git-5c62f3f68e38dd12a8e2f590f5f52d11d0aad8a6.tar.gz | |
base64_decode: strict: Fail on excessive padding
| -rw-r--r-- | ext/standard/base64.c | 5 | ||||
| -rw-r--r-- | ext/standard/tests/url/base64_decode_basic_001.phpt | 8 |
2 files changed, 9 insertions, 4 deletions
diff --git a/ext/standard/base64.c b/ext/standard/base64.c index cf6951ba8d..374628d861 100644 --- a/ext/standard/base64.c +++ b/ext/standard/base64.c @@ -197,6 +197,11 @@ PHPAPI zend_string *php_base64_decode_ex(const unsigned char *str, size_t length if (strict && i % 4 == 1) { goto fail; } + /* fail if the padding length is wrong (not VV==, VVV=), but accept zero padding + * RFC 4648: "In some circumstances, the use of padding [--] is not required" */ + if (strict && padding && (padding > 2 || (i + padding) % 4 != 0)) { + goto fail; + } ZSTR_LEN(result) = j; ZSTR_VAL(result)[ZSTR_LEN(result)] = '\0'; diff --git a/ext/standard/tests/url/base64_decode_basic_001.phpt b/ext/standard/tests/url/base64_decode_basic_001.phpt index 7aba807e19..e1469c37e8 100644 --- a/ext/standard/tests/url/base64_decode_basic_001.phpt +++ b/ext/standard/tests/url/base64_decode_basic_001.phpt @@ -9,7 +9,7 @@ Test base64_decode() function : basic functionality - ensure all base64 alphabet */ echo "Decode an input string containing the whole base64 alphabet:\n"; -$allbase64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="; +$allbase64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/VV=="; var_dump(bin2hex(base64_decode($allbase64))); var_dump(bin2hex(base64_decode($allbase64, false))); var_dump(bin2hex(base64_decode($allbase64, true))); @@ -18,7 +18,7 @@ echo "Done"; ?> --EXPECTF-- Decode an input string containing the whole base64 alphabet: -string(96) "00108310518720928b30d38f41149351559761969b71d79f8218a39259a7a29aabb2dbafc31cb3d35db7e39ebbf3dfbf" -string(96) "00108310518720928b30d38f41149351559761969b71d79f8218a39259a7a29aabb2dbafc31cb3d35db7e39ebbf3dfbf" -string(96) "00108310518720928b30d38f41149351559761969b71d79f8218a39259a7a29aabb2dbafc31cb3d35db7e39ebbf3dfbf" +string(98) "00108310518720928b30d38f41149351559761969b71d79f8218a39259a7a29aabb2dbafc31cb3d35db7e39ebbf3dfbf55" +string(98) "00108310518720928b30d38f41149351559761969b71d79f8218a39259a7a29aabb2dbafc31cb3d35db7e39ebbf3dfbf55" +string(98) "00108310518720928b30d38f41149351559761969b71d79f8218a39259a7a29aabb2dbafc31cb3d35db7e39ebbf3dfbf55" Done
\ No newline at end of file |