You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When a post variable is present but empty, it should be set to an empty string so that PHP scripts can check it with isset. However, I found that this does not work when using suhosin with PHP 5.6.0.
When I run this, it tells me that the non-empty variable b is set correcty, while the empty variable a is lost:
array(1) {
["b"]=>
string(4) "test"
}
I have looked into this and I think the reason is the following code in post_handler.c at line 131:
if (vlen) {
vlen = php_url_decode(ksep, vlen);
}
This skips the call to php_url_decode if the length of the post value is 0. The problem is that php_url_decode is the function that should truncate the ksep string, which will be used later on. So if that function call is skipped, ksep will be too long. This will lead the check in line 593 of ifilter.c to think that there was some kind of NULL byte attack, because strlen(val) != val_len, and thus the post variable will be thrown away.
I suggest fixing this by removing the if from post_handler.c, as there is no real reason to skip the php_url_decode call. That function just contains a loop that will never get executed if vlen == 0, and one line for the string trunctation. See http://lxr.php.net/xref/PHP_5_6/ext/standard/url.c#570.
The text was updated successfully, but these errors were encountered:
When a post variable is present but empty, it should be set to an empty string so that PHP scripts can check it with
isset
. However, I found that this does not work when using suhosin with PHP 5.6.0.I wrote a minimal test case for this:
When I run this, it tells me that the non-empty variable
b
is set correcty, while the empty variablea
is lost:I have looked into this and I think the reason is the following code in
post_handler.c
at line 131:if (vlen) { vlen = php_url_decode(ksep, vlen); }
This skips the call to
php_url_decode
if the length of the post value is 0. The problem is thatphp_url_decode
is the function that should truncate theksep
string, which will be used later on. So if that function call is skipped,ksep
will be too long. This will lead the check in line 593 ofifilter.c
to think that there was some kind of NULL byte attack, becausestrlen(val) != val_len
, and thus the post variable will be thrown away.I suggest fixing this by removing the
if
frompost_handler.c
, as there is no real reason to skip thephp_url_decode
call. That function just contains a loop that will never get executed ifvlen == 0
, and one line for the string trunctation. See http://lxr.php.net/xref/PHP_5_6/ext/standard/url.c#570.The text was updated successfully, but these errors were encountered: