]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 586a076)
base64_decode: strict: Fail on excessive padding
authorLauri Kenttä <lauri.kentta@gmail.com>
Mon, 11 Jul 2016 09:40:08 +0000 (12:40 +0300)
committerNikita Popov <nikic@php.net>
Fri, 22 Jul 2016 16:03:56 +0000 (18:03 +0200)
ext/standard/base64.c patch | blob | history
ext/standard/tests/url/base64_decode_basic_001.phpt patch | blob | history

diff --git a/ext/standard/base64.c b/ext/standard/base64.c
index cf6951ba8d40d6e28e857f5f231a67a44ad9c48f..374628d8613f3d6519d211212f9519bfce879bc7 100644 (file)
--- a/ext/standard/base64.c
+++ b/ext/standard/base64.c
@@ -197,6 +197,11 @@ PHPAPI zend_string *php_base64_decode_ex(const unsigned char *str, size_t length
        if (strict && i % 4 == 1) {
                goto fail;
        }
+       /* fail if the padding length is wrong (not VV==, VVV=), but accept zero padding
+        * RFC 4648: "In some circumstances, the use of padding [--] is not required" */
+       if (strict && padding && (padding > 2 || (i + padding) % 4 != 0)) {
+               goto fail;
+       }
 
        ZSTR_LEN(result) = j;
        ZSTR_VAL(result)[ZSTR_LEN(result)] = '\0';
diff --git a/ext/standard/tests/url/base64_decode_basic_001.phpt b/ext/standard/tests/url/base64_decode_basic_001.phpt
index 7aba807e198bb4cb69122cdd9e347880da880ef1..e1469c37e8cb1142c113b269c673a55c42727ccf 100644 (file)
--- a/ext/standard/tests/url/base64_decode_basic_001.phpt
+++ b/ext/standard/tests/url/base64_decode_basic_001.phpt
@@ -9,7 +9,7 @@ Test base64_decode() function : basic functionality - ensure all base64 alphabet
  */
 
 echo "Decode an input string containing the whole base64 alphabet:\n";
-$allbase64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";
+$allbase64 = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/VV==";
 var_dump(bin2hex(base64_decode($allbase64)));
 var_dump(bin2hex(base64_decode($allbase64, false)));
 var_dump(bin2hex(base64_decode($allbase64, true)));
@@ -18,7 +18,7 @@ echo "Done";
 ?>
 --EXPECTF--
 Decode an input string containing the whole base64 alphabet:
-string(96) "00108310518720928b30d38f41149351559761969b71d79f8218a39259a7a29aabb2dbafc31cb3d35db7e39ebbf3dfbf"
-string(96) "00108310518720928b30d38f41149351559761969b71d79f8218a39259a7a29aabb2dbafc31cb3d35db7e39ebbf3dfbf"
-string(96) "00108310518720928b30d38f41149351559761969b71d79f8218a39259a7a29aabb2dbafc31cb3d35db7e39ebbf3dfbf"
+string(98) "00108310518720928b30d38f41149351559761969b71d79f8218a39259a7a29aabb2dbafc31cb3d35db7e39ebbf3dfbf55"
+string(98) "00108310518720928b30d38f41149351559761969b71d79f8218a39259a7a29aabb2dbafc31cb3d35db7e39ebbf3dfbf55"
+string(98) "00108310518720928b30d38f41149351559761969b71d79f8218a39259a7a29aabb2dbafc31cb3d35db7e39ebbf3dfbf55"
 Done
\ No newline at end of file
Unnamed repository; edit this file 'description' to name the repository.