|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2011-10-06 05:10 UTC] reg dot php at alf dot nu
[2014-02-20 22:23 UTC] yohgaki@php.net
-Status: Open
+Status: Closed
-Assigned To:
+Assigned To: yohgaki
[2014-10-07 23:22 UTC] stas@php.net
[2014-10-07 23:33 UTC] stas@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu Nov 21 09:01:32 2024 UTC |
Description: ------------ The following (ill-advised but not uncommon) code... preg_replace('/'.$a.'/i', $b, $c) will eval $b if $a contains "/e\0". Good fix: turn null bytes into backslash-zero before passing them to PCRE. Easier fix: check that 'pp' is actually at the end of the string and not just at some random null byte after the modifier loop in pcre_get_compiled_regex_cache, and error out if not. Test script: --------------- $word = "die('Lalala'); 1||1/e\0"; // Slightly contrived example, but let's pretend we're // case-normalizing a user-provided word, and forgot to // preg_quote $text = preg_replace('/'.$word.'/i', $word, $text); Expected result: ---------------- "preg_replace(): Unknown modifier '\0' in ..." (or some better error message) Actual result: -------------- Code execution.