bug symfony#54306 Throw TransformationFailedException when there is a null bytes injection (sormes)

fabpot · fabpot · commit c7ca33ad5251 · 2024-03-17T14:51:59.000Z
This PR was squashed before being merged into the 5.4 branch. Discussion ---------- Throw TransformationFailedException when there is a null bytes injection | Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | yes | New feature? | no  | Deprecations? | no  | Issues | -  | License | MIT On one hand, in PHP 7, DateTime::createFromFormat allows null byte injection, and on the other hand, in PHP 8, it throws a ValueError that is not caught. This PR prevents injection when using version 5.4 under PHP 7 and onwards, throwing a TransformationFailedException. Commits ------- dd3c254 Throw TransformationFailedException when there is a null bytes injection
diff --git a/src/Symfony/Component/Form/Extension/Core/DataTransformer/DateTimeToStringTransformer.php b/src/Symfony/Component/Form/Extension/Core/DataTransformer/DateTimeToStringTransformer.php
@@ -118,6 +118,10 @@ public function reverseTransform($value)
             throw new TransformationFailedException('Expected a string.');
         }
 
+        if (str_contains($value, "\0")) {
+            throw new TransformationFailedException('Null bytes not allowed');
+        }
+
         $outputTz = new \DateTimeZone($this->outputTimezone);
         $dateTime = \DateTime::createFromFormat($this->parseFormat, $value, $outputTz);
 
diff --git a/src/Symfony/Component/Form/Tests/Extension/Core/DataTransformer/DateTimeToStringTransformerTest.php b/src/Symfony/Component/Form/Tests/Extension/Core/DataTransformer/DateTimeToStringTransformerTest.php
@@ -133,6 +133,19 @@ public function testReverseTransformEmpty()
         $this->assertNull($reverseTransformer->reverseTransform(''));
     }
 
+    public function testReverseTransformWithNullBytes()
+    {
+        $transformer = new DateTimeToStringTransformer();
+
+        $nullByte = \chr(0);
+        $value = '2024-03-15 21:11:00'.$nullByte;
+
+        $this->expectException(TransformationFailedException::class);
+        $this->expectExceptionMessage('Null bytes not allowed');
+
+        $transformer->reverseTransform($value);
+    }
+
     public function testReverseTransformWithDifferentTimezones()
     {
         $reverseTransformer = new DateTimeToStringTransformer('America/New_York', 'Asia/Hong_Kong', 'Y-m-d H:i:s');

Original file line number	Diff line number	Diff line change
`@@ -118,6 +118,10 @@ public function reverseTransform($value)`
`118`	`118`	`throw new TransformationFailedException('Expected a string.');`
`119`	`119`	`}`
`120`	`120`
	`121`	`+ if (str_contains($value, "\0")) {`
	`122`	`+ throw new TransformationFailedException('Null bytes not allowed');`
	`123`	`+ }`
	`124`	`+`
`121`	`125`	`$outputTz = new \DateTimeZone($this->outputTimezone);`
`122`	`126`	`$dateTime = \DateTime::createFromFormat($this->parseFormat, $value, $outputTz);`
`123`	`127`