: URL encoded query string with embedded null %00 breaks on some servers We have need to send an encrypted string in a query string to a web page. Sometimes because of the encryption, there

@Ann8826881

As @closetnoc suggests, the presence of the NULL char in a URL could be seen as the source of an attack (whether the software is vulnerable or not is another matter), so some servers do actively protect against this (however, I'm not aware of this being implemented at the core). RFC3986 - Uniform Resource Identifier (URI): Generic Syntax makes specific reference to this:


Note, however, that the "%00" percent-encoding
(NUL) may require special handling and should be rejected if the
application is not expecting to receive raw data within a component.


On my server, any URL containing %00 in the query string is actively blocked with mod_security and a 403 Forbidden is served!

However, if you are transmitting binary data in the query string - which is designed for textual data - then it should be base64 encoded first (to convert it to plain text) before being URL (percent) encoded for transmission in the URL.



I've found this PHP bug#53767 report (although considered "Not a bug") from 2011-01-17 for PHP 5.3.4 where the URL parameter appears to be removed entirely from the $_GET array when the value contains %00.

In fact, Rasmus himself replies and says:


Unable to reproduce. Probably running some non-standard PHP code that is doing
this.

Vote Up Vote Down