From: Lauri Kenttä <lauri.kentta@gmail.com>
Date: Mon, 11 Jul 2016 09:40:01 +0000 (+0300)
Subject: Require strict base64 in openssl_decode
X-Git-Tag: php-7.1.0beta2~86^2~29
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=f775199ac70abef4bf7fa29c805d73df09131e21;p=php

Require strict base64 in openssl_decode

Using invalid data in a security-related context makes no sense,
and there's even a test which depends on invalid base64 data failing,
even though it currently fails for the wrong reasons by sheer luck.
---

diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index e01d4a50e6..d41ba73291 100644
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -6375,7 +6375,7 @@ PHP_FUNCTION(openssl_decrypt)
 	php_openssl_load_cipher_mode(&mode, cipher_type);
 
 	if (!(options & OPENSSL_RAW_DATA)) {
-		base64_str = php_base64_decode((unsigned char*)data, (int)data_len);
+		base64_str = php_base64_decode_ex((unsigned char*)data, (int)data_len, 1);
 		if (!base64_str) {
 			php_error_docref(NULL, E_WARNING, "Failed to base64 decode the input");
 			EVP_CIPHER_CTX_free(cipher_ctx);