Hello,
Could somebody please help me with sanitizing null byte URL parameter. For example this link freezes the my blank application for a long time and I’m unable to sanitize the input 1%00.jpg in production:
https://www.xxx.xx/app/?id= 1%00.jpg
url encode? try input 1%2500.jpg
I tried all this and many other but there seems to be something inherently stopping it from working in blank application. Probably because it’s done in OnExecute?
$id = isset($_GET[‘id’]) ? (string)$_GET[‘id’] : ‘’;
$id = urlencode($id);
// Remove URL-encoded null byte and other specific unwanted patterns
$id = str_ireplace(["%00", “2500”], ‘’, $id);
// Remove null bytes (case-insensitive version doesn’t affect the null byte)
$id = str_ireplace("\0", ‘’, $id);
// Remove dots (case-insensitivity has no effect here, but used for consistency)
$id = str_ireplace(".", ‘’, $id);
// Remove percent signs (case-insensitivity has no effect here, but used for consistency)
$id = str_ireplace("%", ‘’, $id);
// Define a sanitization function for the ID
function sanitizeId($id) {
// Remove any null bytes, dots, and percent signs
//$id = str_replace(["\0", ".", "%"], '', $id);
// Allow only alphanumeric characters and hyphens (for UUID format)
return preg_replace('/[^a-zA-Z0-9\-]/', '', $id);
}
// Sanitize the ID
$id = sanitizeId($id);
$id = str_replace(chr(0), '', $id);
maybe this?
No idea why https://www.xxx.xx/app/?id= 1%00.jpg is still managing to freeze the page, thanks though for the advice which I have tested but not solving. I have tested this after clearing cache:
$id = isset($_GET[‘id’]) ? (string)$_GET[‘id’] : ‘’;
// Remove all instances of the null character
$id = str_replace(chr(0), ‘’, $id);
// Define a sanitization function for the ID
function sanitizeId($id) {
// Allow only alphanumeric characters and hyphens (e.g., for UUID format)
return preg_replace(’/[^a-zA-Z0-9-]/’, ‘’, $id);
}
// Sanitize the ID
$id = sanitizeId($id);