#47174 [NEW]: base64_decode interprets pad char in mid string as terminator

Tue, 20 Jan 2009 13:07:37 -0800 

From:             [email protected]
Operating system: All
PHP version:      5.2.8
PHP Bug Type:     *URL Functions
Bug description:  base64_decode interprets pad char in mid string as terminator

Description:
------------
base64_decode handles a pad as the end of data even when it is not 
terminating a string, in which case it really should be handled as non-
alphabet characters. From rfc 3548 2.3: "Furthermore, such 
specifications may consider the pad character, "=", as not part of the 
base alphabet until the end of the string."

By ignoring all data after the pad, it is difficult to work with 
signature based technologies where the base64 
decoded octects must be compared to determine validity. PHP allows for 
additional data to be added to a signature which ends up being ignored 
when compared, while other implementations do not.

Reproduce code:
---------------
if (base64_decode("dGVzdA==") == base64_decode("dGVzdA==CRAP")) {
    echo "Same octect data - Signature Valid";
} else {
    echo "Invalid Signature";
}

Expected result:
----------------
Invalid Signature

Actual result:
--------------
Same octect data - Signature Valid

-- 
Edit bug report at http://bugs.php.net/?id=47174&edit=1
-- 
Try a CVS snapshot (PHP 5.2):        
http://bugs.php.net/fix.php?id=47174&r=trysnapshot52
Try a CVS snapshot (PHP 5.3):        
http://bugs.php.net/fix.php?id=47174&r=trysnapshot53
Try a CVS snapshot (PHP 6.0):        
http://bugs.php.net/fix.php?id=47174&r=trysnapshot60
Fixed in CVS:                        
http://bugs.php.net/fix.php?id=47174&r=fixedcvs
Fixed in CVS and need be documented: 
http://bugs.php.net/fix.php?id=47174&r=needdocs
Fixed in release:                    
http://bugs.php.net/fix.php?id=47174&r=alreadyfixed
Need backtrace:                      
http://bugs.php.net/fix.php?id=47174&r=needtrace
Need Reproduce Script:               
http://bugs.php.net/fix.php?id=47174&r=needscript
Try newer version:                   
http://bugs.php.net/fix.php?id=47174&r=oldversion
Not developer issue:                 
http://bugs.php.net/fix.php?id=47174&r=support
Expected behavior:                   
http://bugs.php.net/fix.php?id=47174&r=notwrong
Not enough info:                     
http://bugs.php.net/fix.php?id=47174&r=notenoughinfo
Submitted twice:                     
http://bugs.php.net/fix.php?id=47174&r=submittedtwice
register_globals:                    
http://bugs.php.net/fix.php?id=47174&r=globals
PHP 4 support discontinued:          http://bugs.php.net/fix.php?id=47174&r=php4
Daylight Savings:                    http://bugs.php.net/fix.php?id=47174&r=dst
IIS Stability:                       
http://bugs.php.net/fix.php?id=47174&r=isapi
Install GNU Sed:                     
http://bugs.php.net/fix.php?id=47174&r=gnused
Floating point limitations:          
http://bugs.php.net/fix.php?id=47174&r=float
No Zend Extensions:                  
http://bugs.php.net/fix.php?id=47174&r=nozend
MySQL Configuration Error:           
http://bugs.php.net/fix.php?id=47174&r=mysqlcfg

Reply via email to