|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2009-03-26 22:38 UTC] spam04 at pornel dot net
[2009-03-26 22:45 UTC] scottmac@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Tue Oct 28 05:00:01 2025 UTC |
Description: ------------ preg_replace does not escape $ character. If double quotes are used in replacement code, this enables unwanted injection of variables or even execution of PHP code. My suggestion is to escape $ character and discourage use of single quotes in replacement code (because they're not compatible with the way $ and " are escaped). Reproduce code: --------------- // simple case: preg_replace('/.*/e','strtoupper("$0")', '$foo'); // code execution: class test { function pwnd() {echo "pwnd!\n";} function replace($str) { preg_replace('/.*/e','strtoupper("$0")', $str); } } $t = new test(); $t->replace('{$this->pwnd()}'); Expected result: ---------------- $FOO {$THIS->PWND()} Actual result: -------------- PHP Notice: Undefined variable: foo pwnd!