Page 1 of 1
ctype, null byte and UTF-8
Posted: Fri Jun 18, 2010 1:22 pm
by phpnewbie_101
Hi, great forum!
I am validating user input with ctype. However, I have read that underlying C libraries are vulnerable to null byte injection. I do not know if this is true or not of the PHP ctype library.
So my question is: given an arbitrary string of unknown encoding, how to I guarantee all the null bytes are removed before sending the string off to PHP functions like ctype? (and my corollary question is this even necessary).
Thank you.
Re: ctype, null byte and UTF-8
Posted: Fri Jun 18, 2010 1:33 pm
by AbraCadaver
Depending upon what you're doing, addslashes() will escape the nul byte, or to remove it:
Code: Select all
$var = str_replace("\0", "", $var);
You could also use chr(0).
Re: ctype, null byte and UTF-8
Posted: Mon Jun 21, 2010 3:02 am
by phpnewbie_101
Hi, thanks for the reply. So, that line of code will not corrupt UTF-8 strings?
Also I was reading about mb_string and stumbled on buffer overflow attacks on PHP 5.2.6. Debian Lenny's package is still behind. I was wondering your thoughts on this; I thought buffer overflows were gone way of the dodo and don't exist in interpreted languages but apparently not. Is it worth compiling my own PHP binary?
Is there a general best practices coding in PHP to always check the length of a string before passing the string to any extensions or (potentially) vulnerable functions?
Re: ctype, null byte and UTF-8
Posted: Mon Jun 21, 2010 7:45 am
by Apollo
phpnewbie_101 wrote:Hi, thanks for the reply. So, that line of code will not corrupt UTF-8 strings?
No, null bytes cannot be part of multi-byte UTF-8 characters. Any null byte in a UTF-8 encoded string always represents one full character by itself, i.e. U+0000.
Re: ctype, null byte and UTF-8
Posted: Fri Jun 25, 2010 1:25 pm
by kaisellgren
The latest version of PHP does not break on null bytes and I do not know whether any older version does. However, there are vulnerabilities in the PHP core every now and then, so, it is a very good idea to keep PHP up-to-date.
phpnewbie_101 wrote:I thought buffer overflows were gone way of the dodo and don't exist in interpreted languages but apparently not.
Buffer overflows do not exist in interpreted languages, but they may exist in the language parser itself (i.e. PHP). PHP is written in C, your PHP applications are written in PHP. Thus, your PHP applications are safe from buffer overflows, but PHP is not.
Re: ctype, null byte and UTF-8
Posted: Fri Jun 25, 2010 7:32 pm
by phpnewbie_101
Thanks. My final solution was to add the ubuntu repo to the Debian sources.list and just download the latest PHP.
Also I'm continuing to remove null bytes, at least until I figure out how to use ESAPI.