Description: ------------ Hello, In methods 'postalCode' and 'carReg' it is possible to circumvent the validation with the null character (%00), and everything that is going to be injected will disregard. In methods 'cpf ' and 'cnpj' is removed all characters that aren't digits, and it is possible to send, such '77 .222.814/0001-03ABC', the method clean these letters and treats it as the real value sent by the user. In the method 'phoneNumber' can inject new line (%0a); Thunk You. Test script: --------------- GET: cep=88000000%00&cpf=050.068.993-87ABC&cnpj=77.222.814/0001-03ABC&phone=4831200001%0a&carReg=ABC-1234%00 <?php require_once("Validate/ptBR_patch2.php"); $Validate_ptBR = new Validate_ptBR(); echo "CEP: ", ($Validate_ptBR->postalCode($_GET['cep'])) ? "true" : "false", "\n"; echo "CPF: ", ($Validate_ptBR->cpf($_GET['cpf'])) ? "true" : "false", "\n"; echo "CNPJ: ", ($Validate_ptBR->cnpj($_GET['cnpj'])) ? "true" : "false", "\n"; echo "PHONE: ", ($Validate_ptBR->phoneNumber($_GET['phone'])) ? "true" : "false", "\n"; echo "carReg: ", ($Validate_ptBR->carReg($_GET['carReg'])) ? "true" : "false"; ?> Expected result: ---------------- CEP: false CPF: false CNPJ: false PHONE: false carReg: false Actual result: -------------- CEP: true CPF: true CNPJ: true PHONE: true carReg: true

This bug has been fixed in CVS. If this was a documentation problem, the fix will appear on pear.php.net by the end of next Sunday (CET). If this was a problem with the pear.php.net website, the change should be live shortly. Otherwise, the fix will appear in the package's next release. Thank you for the report and for helping us make PEAR better. Henrique, A fix will come sooner, probably until next saturday. Thanks for helping us! Regards, --Marcelo

Hi Marcelo, It was forgotten in code (Revision 1.17), the method CPF, the routine: $cleaned = ''; for ($i = 0; $i < strlen($cpf); $i++) { $num = substr($cpf, $i, 1); if (ord($num) >= 48 && ord($num) <= 57) { $cleaned .= $num; } } $cpf = $cleaned; The following routine makes this role: $cpf = preg_replace("/[^\d]/", '', $cpf); Thanks again! J Henrique

This bug has been fixed in CVS. If this was a documentation problem, the fix will appear on pear.php.net by the end of next Sunday (CET). If this was a problem with the pear.php.net website, the change should be live shortly. Otherwise, the fix will appear in the package's next release. Thank you for the report and for helping us make PEAR better. Hello Jota, this bug has been fixed on CVS and the php test is updated to cover those changes (except for the license plates). regards, Igor Feghali.