ID: 33784 Updated by: [EMAIL PROTECTED] Reported By: pornel at despammed dot com -Status: Open +Status: Bogus Bug Type: *Directory/Filesystem functions Operating System: All? Win32 tested PHP Version: 5CVS-2005-07-20 (dev) New Comment:
Sorry, but your problem does not imply a bug in PHP itself. For a list of more appropriate places to ask for help using PHP, please visit http://www.php.net/support.php as this bug system is not the appropriate forum for asking support questions. Due to the volume of reports we can not explain in detail here why your report is not a bug. The support channels will be able to provide an explanation for you. Thank you for your interest in PHP. You should do all the required checks yourself. Previous Comments: ------------------------------------------------------------------------ [2005-07-20 12:20:08] pornel at despammed dot com Description: ------------ NUL character (C string terminator) is allowed in file paths passed to OS functions, which causes unexpected truncation of string. This is a security risk for popular, sloppy code like: include($_GET['page'].'.i-feel-safe.php'); because ?page=/etc/passwd%00 circumvents such "protection". IMHO PHP should throw an error if PHP string can't be safely converted to C string. Reproduce code: --------------- <?php fopen(urldecode("test%00.html"),"r"); Expected result: ---------------- Error: illegal path Actual result: -------------- Warning: fopen(test) [function.fopen]: failed to open stream: No such file or directory in c:\www\test.php5 on line 2 ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=33784&edit=1
