diff --git a/src/Symfony/Component/Form/Extension/Core/DataTransformer/DateTimeToStringTransformer.php b/src/Symfony/Component/Form/Extension/Core/DataTransformer/DateTimeToStringTransformer.php index 4e3df8690a571..b4e13eb8fb1cc 100644 --- a/src/Symfony/Component/Form/Extension/Core/DataTransformer/DateTimeToStringTransformer.php +++ b/src/Symfony/Component/Form/Extension/Core/DataTransformer/DateTimeToStringTransformer.php @@ -118,6 +118,10 @@ public function reverseTransform($value) throw new TransformationFailedException('Expected a string.'); } + if (str_contains($value, "\0")) { + throw new TransformationFailedException('Null bytes not allowed'); + } + $outputTz = new \DateTimeZone($this->outputTimezone); $dateTime = \DateTime::createFromFormat($this->parseFormat, $value, $outputTz); diff --git a/src/Symfony/Component/Form/Tests/Extension/Core/DataTransformer/DateTimeToStringTransformerTest.php b/src/Symfony/Component/Form/Tests/Extension/Core/DataTransformer/DateTimeToStringTransformerTest.php index 66ad9ff416e26..f7ef667e769b6 100644 --- a/src/Symfony/Component/Form/Tests/Extension/Core/DataTransformer/DateTimeToStringTransformerTest.php +++ b/src/Symfony/Component/Form/Tests/Extension/Core/DataTransformer/DateTimeToStringTransformerTest.php @@ -133,6 +133,19 @@ public function testReverseTransformEmpty() $this->assertNull($reverseTransformer->reverseTransform('')); } + public function testReverseTransformWithNullBytes() + { + $transformer = new DateTimeToStringTransformer(); + + $nullByte = \chr(0); + $value = '2024-03-15 21:11:00'.$nullByte; + + $this->expectException(TransformationFailedException::class); + $this->expectExceptionMessage('Null bytes not allowed'); + + $transformer->reverseTransform($value); + } + public function testReverseTransformWithDifferentTimezones() { $reverseTransformer = new DateTimeToStringTransformer('America/New_York', 'Asia/Hong_Kong', 'Y-m-d H:i:s');