base64_decode interprets pad char in mid string as terminator

Bug #47174	base64_decode interprets pad char in mid string as terminator
Submitted:	2009-01-20 21:04 UTC	Modified:	2009-03-09 18:18 UTC
From:	rrichards@php.net	Assigned:	iliaa (profile)
Status:	Closed	Package:	*URL Functions
PHP Version:	5.2.8	OS:	*
Private report:	No	CVE-ID:	None

[2009-01-20 21:04 UTC] rrichards@php.net

Description:
------------
base64_decode handles a pad as the end of data even when it is not 
terminating a string, in which case it really should be handled as non-
alphabet characters. From rfc 3548 2.3: "Furthermore, such 
specifications may consider the pad character, "=", as not part of the 
base alphabet until the end of the string."

By ignoring all data after the pad, it is difficult to work with 
signature based technologies where the base64 
decoded octects must be compared to determine validity. PHP allows for 
additional data to be added to a signature which ends up being ignored 
when compared, while other implementations do not.

Reproduce code:
---------------
if (base64_decode("dGVzdA==") == base64_decode("dGVzdA==CRAP")) {
    echo "Same octect data - Signature Valid";
} else {
    echo "Invalid Signature";
}

Expected result:
----------------
Invalid Signature

Actual result:
--------------
Same octect data - Signature Valid

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-01-21 15:45 UTC] iliaa@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

[2009-03-09 18:17 UTC] stas@php.net

Just FYI - this fix breaks SugarCRM version 5.0.0 (which relies on strings like dGVzdA==CRAP to decode correctly) and same may happen to other apps. It's probably their fault but it may be good to know that 5.2.9 works differently there.