Update NEWS

php · May 26, 2022 · 172b734 · 172b734
2 parents e05897f + 209ea3f
commit 172b734
Show file tree

Hide file tree

Showing 3 changed files with 95 additions and 3 deletions.
diff --git a/NEWS b/NEWS
@@ -12,6 +12,8 @@ PHP                                                                        NEWS
   . Fixed Haiku ZTS builds. (David Carlier)
 
 - Date:
+  . Fixed bug #72963 (Null-byte injection in CreateFromFormat and related
+    functions). (Derick)
   . Fixed bug GH-8471 (Segmentation fault when converting immutable and mutable
     DateTime instances created using reflection). (Derick)
 

diff --git a/ext/date/php_date.c b/ext/date/php_date.c
@@ -2382,7 +2382,7 @@ PHP_FUNCTION(date_create_from_format)
 
 	ZEND_PARSE_PARAMETERS_START(2, 3)
 		Z_PARAM_STRING(format_str, format_str_len)
-		Z_PARAM_STRING(time_str, time_str_len)
+		Z_PARAM_PATH(time_str, time_str_len)
 		Z_PARAM_OPTIONAL
 		Z_PARAM_OBJECT_OF_CLASS_OR_NULL(timezone_object, date_ce_timezone)
 	ZEND_PARSE_PARAMETERS_END();
@@ -2404,7 +2404,7 @@ PHP_FUNCTION(date_create_immutable_from_format)
 
 	ZEND_PARSE_PARAMETERS_START(2, 3)
 		Z_PARAM_STRING(format_str, format_str_len)
-		Z_PARAM_STRING(time_str, time_str_len)
+		Z_PARAM_PATH(time_str, time_str_len)
 		Z_PARAM_OPTIONAL
 		Z_PARAM_OBJECT_OF_CLASS_OR_NULL(timezone_object, date_ce_timezone)
 	ZEND_PARSE_PARAMETERS_END();
@@ -2804,7 +2804,7 @@ PHP_FUNCTION(date_parse_from_format)
 
 	ZEND_PARSE_PARAMETERS_START(2, 2)
 		Z_PARAM_STR(format)
-		Z_PARAM_STR(date)
+		Z_PARAM_PATH_STR(date)
 	ZEND_PARSE_PARAMETERS_END();
 
 	parsed_time = timelib_parse_from_format(ZSTR_VAL(format), ZSTR_VAL(date), ZSTR_LEN(date), &error, DATE_TIMEZONEDB, php_date_parse_tzfile_wrapper);

diff --git a/ext/date/tests/bug72963.phpt b/ext/date/tests/bug72963.phpt
@@ -0,0 +1,90 @@
+--TEST--
+Bug #72963 (Null-byte injection in CreateFromFormat and related functions)
+--FILE--
+<?php
+$strings = [
+	'8/8/2016',
+	"8/8/2016\0asf",
+];
+
+foreach ($strings as $string) {
+	$d1 = $d2 = $d3 = NULL;
+	echo "\nCovering string: ", addslashes($string), "\n\n";
+
+	try {
+		$d1 = DateTime::createFromFormat('!m/d/Y', $string);
+	} catch (ValueError $v) {
+		echo $v->getMessage(), "\n";
+	}
+
+	try {
+		$d2 = DateTimeImmutable::createFromFormat('!m/d/Y', $string);
+	} catch (ValueError $v) {
+		echo $v->getMessage(), "\n";
+	}
+
+	try {
+		$d3 = date_parse_from_format('m/d/Y', $string);
+	} catch (ValueError $v) {
+		echo $v->getMessage(), "\n";
+	}
+
+	var_dump($d1, $d2, $d3);
+}
+?>
+--EXPECT--
+Covering string: 8/8/2016
+
+object(DateTime)#1 (3) {
+  ["date"]=>
+  string(26) "2016-08-08 00:00:00.000000"
+  ["timezone_type"]=>
+  int(3)
+  ["timezone"]=>
+  string(3) "UTC"
+}
+object(DateTimeImmutable)#2 (3) {
+  ["date"]=>
+  string(26) "2016-08-08 00:00:00.000000"
+  ["timezone_type"]=>
+  int(3)
+  ["timezone"]=>
+  string(3) "UTC"
+}
+array(12) {
+  ["year"]=>
+  int(2016)
+  ["month"]=>
+  int(8)
+  ["day"]=>
+  int(8)
+  ["hour"]=>
+  bool(false)
+  ["minute"]=>
+  bool(false)
+  ["second"]=>
+  bool(false)
+  ["fraction"]=>
+  bool(false)
+  ["warning_count"]=>
+  int(0)
+  ["warnings"]=>
+  array(0) {
+  }
+  ["error_count"]=>
+  int(0)
+  ["errors"]=>
+  array(0) {
+  }
+  ["is_localtime"]=>
+  bool(false)
+}
+
+Covering string: 8/8/2016\0asf
+
+DateTime::createFromFormat(): Argument #2 ($datetime) must not contain any null bytes
+DateTimeImmutable::createFromFormat(): Argument #2 ($datetime) must not contain any null bytes
+date_parse_from_format(): Argument #2 ($datetime) must not contain any null bytes
+NULL
+NULL
+NULL