PHP :: Doc Bug #47797 :: Security vulnerability in preg_replace is not documented clearly enough

Doc Bug #47797	Security vulnerability in preg_replace is not documented clearly enough
Submitted:	2009-03-26 23:38 UTC	Modified:	2009-04-21 03:06 UTC
From:	spam04 at pornel dot net	Assigned:
Status:	Not a bug	Package:	Documentation problem
PHP Version:	Irrelevant	OS:	*
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2009-03-26 23:38 UTC] spam04 at pornel dot net

Description:
------------
Re bug #47796:

Documentation for preg_replace only suggests to check PHP's string 
syntax in non-alarming way.
 
Given that replacement code with double quotes (which is even used in 
manual itself) could enable remote code execution, there should be a 
clearly worded and highlighted warning about this.

The fragment "This is done to ensure that no syntax errors arise from 
backreference usage with either single or double quotes" could lead 
readers to believe that PHP escapes strings thoroughly and properly.
That is not the case:

preg_replace('/.*/e','"$0"', '{$foo[}');


Expected result:
----------------
Huge red box in manual with "Don't use /e".

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-04-21 03:06 UTC] fa@php.net

Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue May 07 01:01:30 2024 UTC