Innovate faster and cut risk with PHP experts from Zend Services.
Explore Services
See How Zend Helps Leading Hosting Providers Keep Their Managed Sites on Secure PHP
Read More
Learn PHP from PHP experts with free, on-demand, and instructor led courses.
Explore Training
Submit support requests and browse self-service resources.
Explore Support
PHP DirectoryIterator class accepts filenames with embedded null byte and treats them as terminating at that byte
In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP's DirectoryIterator class accepts filenames with embedded null bytes (\u0000) and treats them as terminating at that byte. This can lead to security vulnerabilities when applications check paths that the code is allowed to access.
DirectoryIterator
\u0000
Filter paths and filenames before providing them to the DirectoryIterator constructor:
preg_replace('/\\0/', "", $var);
When possible, update to PHP 7.2.26 or later, PHP 7.3.13 or later, or 7.4.1 or later.
Direct link to CVE-2019-11045 >
< View all CVEs