Edit report at http://bugs.php.net/bug.php?id=47802&edit=1
ID: 47802 Updated by: [email protected] Reported by: disbursement at dublin dot com Summary: PDO_MYSQL doesn't use the charset parameter -Status: Re-Opened +Status: To be documented Type: Feature/Change Request Package: MySQL related Operating System: all PHP Version: 5.2.9 -Assigned To: kalle +Assigned To: Block user comment: N Private report: N New Comment: If a developer shots himself it is noting we can prevent. Tis does not justify a security release of PHP as the only one who can exploit this is the one writing code ... This should however be made clear in the documentation: Executing SET NAMES doesn't tell anything to the client library (libmysql / mysqlnd used by PHP) so they can't do proper encoding. Therefore only Latin 1, Utf-8 and other encodings using lower 7 bits in an ASCII compatible way can be used safely. For other encodings the mentioned option, introduced later in 5.3.6 should be used. Previous Comments: ------------------------------------------------------------------------ [2011-04-18 22:38:48] [email protected] Re-opening because of 5_2 backport request by some user. ------------------------------------------------------------------------ [2011-04-18 22:34:03] ircmaxell at gmail dot com Re-opening this as it has security implications for 5.2.x. It should be backported and re-released as a security fix for 5.2.x. As it stands now, PDO::quote() does not protect against security vulnerabilities without the ability to set the character set in the C api. 5.3.6 closes this hole when supplied with the optional charset parameter (by appropriately setting the character set). However this will need to be expressed in the documentation (I will file another issue on this topic). Proof Of Concept Code: $dsn = 'mysql:dbname=INFORMATION_SCHEMA;host=127.0.0.1;charset=GBK'; $pdo = new PDO($dsn, $user, $pass); $pdo->exec('SET NAMES GBK'); $string = chr(0xbf) . chr(0x27) . ' OR 1 = 1; /*'; $sql = "SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME LIKE ".$pdo->quote($string).";"; $stmt = $pdo->query($sql); var_dump($stmt->rowCount()); Expected: int(0) Actual: the number of tables on the server ------------------------------------------------------------------------ [2011-01-17 11:46:00] [email protected] Will appear in PHP 5.3.6 :) ------------------------------------------------------------------------ [2011-01-17 10:54:23] [email protected] Automatic comment from SVN on behalf of kalle Revision: http://svn.php.net/viewvc/?view=revision&revision=307529 Log: MFT: Implemented FR #47802 (Support for setting character sets in DSN strings) ------------------------------------------------------------------------ [2011-01-07 18:18:31] [email protected] Automatic comment from SVN on behalf of kalle Revision: http://svn.php.net/viewvc/?view=revision&revision=307228 Log: Added test case for #47802 and fixed macro name after the move to mysql_options() ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/bug.php?id=47802 -- Edit this bug report at http://bugs.php.net/bug.php?id=47802&edit=1
