PHP :: Bug #38920 :: preg_replace allows backreferences from a replacement string

Bug #38920	preg_replace allows backreferences from a replacement string
Submitted:	2006-09-22 08:13 UTC	Modified:	2006-09-23 12:02 UTC
From:	jason at vancetech dot com	Assigned:
Status:	Not a bug	Package:	PCRE related
PHP Version:	4.4.4	OS:	FreeBSD 6.1
Private report:	No	CVE-ID:	None

View Developer Edit

[2006-09-22 08:13 UTC] jason at vancetech dot com

Description:
------------
preg_replace allows backreferences from the replacement string which seems insecure.  Parsing every replacement string is necessary when data comes from a tainted source.

Perl handles this nicely by only allowing backreference's that are used directly in the replacement text and not contained in a {tainted} string.

Reproduce code:
---------------
$text = 'This item costs $0.99';
$html = '<b>%COST%No items%COST%</b>';
print preg_replace('/%COST%.*?%COST%/i', $text, $html);

Expected result:
----------------
<b>This item costs $0.99</b>

Actual result:
--------------
This item costs %COST%No items%COST%.99

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-09-23 12:02 UTC] tony2001@php.net

Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions.  Due to the volume
of reports we can not explain in detail here why your report is not
a bug.  The support channels will be able to provide an explanation
for you.

Thank you for your interest in PHP.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Nov 04 19:00:02 2025 UTC