Hello,

`base_convert` converts between numerical bases, such as from decimal to hex. 
It stores an intermediate result in a double, and thus loses precision for big 
numbers. This is a problem when used on big numbers in security contexts. This 
semi-often happens when users want to create a "nice" random token:

$token = base_convert(bin2hex(random_bytes(16)), 16, 36));
// "7nr0r976rl8o4wkwkkkcc84og"

This looks like a nice random string, but converting it back to hex shows that 
it is actually mostly zero:

var_dump(base_convert("7nr0r976rl8o4wkwkkkcc84og", 36, 16));
// "8161d6d5f47bb0000000000000000000"

Should base_convert raise a notice or warning when it cannot convert a number 
precisely? On one hand, silent conversion to floating point is just fact of 
life for PHP. But I would argue that in this case it is unexpected because both 
the input and output are strings. The loss of precision is documented in the 
manual, but it is not obvious from the result, and it has clear security 
impact. What do you think?

Regards,

Sjoerd Langkemper

Reply via email to