php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #55856 preg_replace should fail on trailing garbage
Submitted: 2011-10-06 05:03 UTC Modified: 2014-02-20 22:23 UTC
From: reg dot php at alf dot nu Assigned: yohgaki (profile)
Status: Closed Package: PCRE related
PHP Version: 5.4.0beta1 OS: All
Private report: No CVE-ID: None
 [2011-10-06 05:03 UTC] reg dot php at alf dot nu
Description:
------------
The following (ill-advised but not uncommon) code...

   preg_replace('/'.$a.'/i', $b, $c)

will eval $b if $a contains "/e\0".

Good fix: turn null bytes into backslash-zero before passing them to PCRE.

Easier fix: check that 'pp' is actually at the end of the string and not just at 
some random null byte after the modifier loop in pcre_get_compiled_regex_cache, 
and error out if not.

Test script:
---------------
 $word = "die('Lalala'); 1||1/e\0";

// Slightly contrived example, but let's pretend we're
// case-normalizing a user-provided word, and forgot to
// preg_quote

$text = preg_replace('/'.$word.'/i', $word, $text);


Expected result:
----------------
"preg_replace(): Unknown modifier '\0' in ..."

(or some better error message)

Actual result:
--------------
Code execution.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-10-06 05:10 UTC] reg dot php at alf dot nu
Uploading a patch failed (probably because I can't see the task)

Try http://stuff.alf.nu/pcre_null_byte.patch
 [2014-02-20 22:23 UTC] yohgaki@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: yohgaki
 [2014-10-07 23:22 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=8b3c1a380a182655113b94b0b96551e98d05a8d3
Log: fix bug #55856: preg_replace should fail on trailing garbage
 [2014-10-07 23:33 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=8b3c1a380a182655113b94b0b96551e98d05a8d3
Log: fix bug #55856: preg_replace should fail on trailing garbage
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 10:01:30 2024 UTC