From 7a02704c0ecdf4373c810760e70a424841619e0c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lauri=20Kentt=C3=A4?= Date: Mon, 11 Jul 2016 12:40:03 +0300 Subject: Require strict base64 in data URI As the tests already show, the data URI wrapper is supposed to fail for corrupt input, but for some reason, one case of invalid input is still allowed to pass?! Strict base64 makes a lot more sense here. Also, Chromium and Firefox fail on invalid base64, so it's a logical choice for PHP as well. --- main/streams/memory.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'main') diff --git a/main/streams/memory.c b/main/streams/memory.c index afa45c3968..a1af61e3f0 100644 --- a/main/streams/memory.c +++ b/main/streams/memory.c @@ -720,7 +720,7 @@ static php_stream * php_stream_url_wrap_rfc2397(php_stream_wrapper *wrapper, con dlen--; if (base64) { - base64_comma = php_base64_decode((const unsigned char *)comma, dlen); + base64_comma = php_base64_decode_ex((const unsigned char *)comma, dlen, 1); if (!base64_comma) { zval_ptr_dtor(&meta); php_stream_wrapper_log_error(wrapper, options, "rfc2397: unable to decode"); -- cgit v1.2.1