Fix base64 transforms (#35693)

miguelxpn · web-flow · commit 346f6d4bbdbd · 2024-02-28T23:13:01.000Z
* Fix base64 transforms

* changelog

* Fix flags and tests

* Improve documentation strings
diff --git a/projects/packages/waf/changelog/fix-waf-b64-transforms b/projects/packages/waf/changelog/fix-waf-b64-transforms
@@ -0,0 +1,4 @@
+Significance: patch
+Type: fixed
+
+Fixed base64 transforms to better conform with the modsecurity runtime
diff --git a/projects/packages/waf/src/class-waf-transforms.php b/projects/packages/waf/src/class-waf-transforms.php
@@ -11,6 +11,17 @@
  * Waf_Transforms class
  */
 class Waf_Transforms {
+
+	/**
+	 * Decode a Base64-encoded string. This runs the decode without strict mode, to match Modsecurity's 'base64DecodeExt' transform function.
+	 *
+	 * @param string $value value to be decoded.
+	 * @return string
+	 */
+	public function base64_decode_ext( $value ) {
+		return base64_decode( $value );
+	}
+
 	/**
 	 * Characters to match when trimming a string.
 	 * Emulates `std::isspace` used by ModSecurity.
@@ -20,13 +31,13 @@ class Waf_Transforms {
 	const TRIM_CHARS = " \n\r\t\v\f";
 
 	/**
-	 * Decode a Base64-encoded string.
+	 * Decode a Base64-encoded string. This runs the decode with strict mode, to match Modsecurity's 'base64Decode' transform function.
 	 *
 	 * @param string $value value to be decoded.
 	 * @return string
 	 */
 	public function base64_decode( $value ) {
-		return base64_decode( $value );
+		return base64_decode( $value, true );
 	}
 
 	/**
diff --git a/projects/packages/waf/tests/php/unit/test-waf-transforms.php b/projects/packages/waf/tests/php/unit/test-waf-transforms.php
@@ -51,10 +51,20 @@ public function transformDataProvider() {
 		yield array(
 			'base64_decode',
 			array(
-				''                 => '',
-				'VGVzdENhc2U='     => 'TestCase',
-				'VGVzdENhc2Ux'     => 'TestCase1',
-				'VGVzdENhc2UxMg==' => 'TestCase12',
+				''                       => '',
+				'VGVzdENhc2U='           => 'TestCase',
+				'VGVzdENhc2Ux'           => 'TestCase1',
+				'VGVzdENhc))((((2UxMg==' => false,
+			),
+		);
+
+		yield array(
+			'base64_decode_ext',
+			array(
+				''                       => '',
+				'VGVzdENhc2U='           => 'TestCase',
+				'VGVzdENhc2Ux'           => 'TestCase1',
+				'VGVzdENhc))((((2UxMg==' => 'TestCase12',
 			),
 		);
 
