ID: 44703 Updated by: [EMAIL PROTECTED] Reported By: wharmby at uk dot ibm dot com -Status: Open +Status: Closed Bug Type: Scripting Engine problem Operating System: Windows XP PHP Version: 5.2.6RC5 New Comment:
This bug has been fixed in CVS. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. Previous Comments: ------------------------------------------------------------------------ [2008-04-11 18:30:20] wharmby at uk dot ibm dot com Description: ------------ htmlspecialchars() does not always detect bad character set argument. Problem in the following code around line 850 of ext/standard/html.c: det_charset: if (charset_hint) { int found = 0; /* now walk the charset map and look for the codeset */ for (i = 0; charset_map[i].codeset; i++) { if (strncasecmp(charset_hint, charset_map[i].codeset, len) == 0) { charset = charset_map[i].charset; found = 1; break; } } This uses "len" as the maximum comparison length which is the length of the input charset hint. If this happens to match the first few characters of a VALID charset then the code fails to detect a bad charset. For example a charset_hint of "125" is allowed as it matches the first 3 characters of a valid charset; namely "1252". If code is changed as follows to check the length as are equal first then the problem is resolved. for (i = 0; charset_map[i].codeset; i++) { if (len == strlen(charset_map[i].codeset) && strncasecmp(charset_hint, charset_map[i].codeset, len) == 0) { charset = charset_map[i].charset; found = 1; break; } } Reproduce code: --------------- <?php var_dump( htmlspecialchars("<a href='test'>Test</a>", ENT_COMPAT, 1) ); var_dump( htmlspecialchars("<a href='test'>Test</a>", ENT_COMPAT, 12) ); var_dump( htmlspecialchars("<a href='test'>Test</a>", ENT_COMPAT, 125) ); var_dump( htmlspecialchars("<a href='test'>Test</a>", ENT_COMPAT, 1252) ); var_dump( htmlspecialchars("<a href='test'>Test</a>", ENT_COMPAT, 12526) ); ?> ===Done=== Expected result: ---------------- PHP Warning: htmlspecialchars(): charset `1' not supported, assuming iso-8859-1 in <path to t/c> string(35) "<a href='test'>Test</a>" PHP Warning: htmlspecialchars(): charset `12' not supported, assuming iso-8859-1 in <path to t/c> string(35) "<a href='test'>Test</a>" PHP Warning: htmlspecialchars(): charset `125' not supported, assuming iso-8859-1 in <path to t/c> string(35) "<a href='test'>Test</a>" string(35) "<a href='test'>Test</a>" PHP Warning: htmlspecialchars(): charset `12526' not supported, assuming iso-8859-1 in <path to t/c> string(35) "<a href='test'>Test</a>" ===Done=== Actual result: -------------- string(35) "<a href='test'>Test</a>" string(35) "<a href='test'>Test</a>" string(35) "<a href='test'>Test</a>" string(35) "<a href='test'>Test</a>" PHP Warning: htmlspecialchars(): charset `12526' not supported, assuming iso-8859-1 in <path to t/c> string(35) "<a href='test'>Test</a>" ===Done=== ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=44703&edit=1
