php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #65079 mb_ereg_replace's e modifier should be deprecated
Submitted: 2013-06-21 00:23 UTC Modified: 2016-07-28 12:42 UTC
From: masakielastic at gmail dot com Assigned: cmb (profile)
Status: Closed Package: mbstring related
PHP Version: 5.5.0 OS: Any
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: masakielastic at gmail dot com
New email:
PHP Version: OS:

 

 [2013-06-21 00:23 UTC] masakielastic at gmail dot com 
Description:
------------
mb_ereg_replace's e modifier should be deprecated for prevent PHP's code 
execution and the explanation for using mb_ereg_replace_callback (since PHP 
5.4.1) should be added in the manual. 

PHP: code execution via mb_ereg_replace
http://vigilance.fr/vulnerability/PHP-code-execution-via-mb-ereg-replace-8711

The reason why preg_replace's e modifier was deprecated in PHP 5.5 can be 
applied to mb_ereg_replace's e modifier.

http://www.php.net/manual/en/function.preg-replace.php
https://wiki.php.net/rfc/remove_preg_replace_eval_modifier

There is an example of implementation of mb_ereg_replace_callback as a user 
function.

http://d.hatena.ne.jp/hnw/20110206

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-06-28 06:01 UTC] yohgaki@php.net 
Comment for clarification.

Not like preg_replace(), mb_ereg_replace()'s 'e' modifier is specified as 
separate parameter. preg_replace() allow to set 'e' modifier in regex and this 
made preg_replace() much more dangerous than mb_ereg_replace().

However, callback is much more secure. Therefore, implementation of 
mb_ereg_replace_callback() is highly encouraged.
 [2016-07-28 12:12 UTC] cmb@php.net
-Assigned To: +Assigned To: cmb
 [2016-07-28 12:12 UTC] cmb@php.net 
mb_ereg_replace_callback() is available as of PHP 5.4.1[1]; the 'e'
modifier is deprecated as of PHP 7.1.0[2]. The latter is not yet
documented, though.

[1] <http://php.net/manual/en/function.mb-ereg-replace-callback.php>
[2] <https://wiki.php.net/rfc/deprecate_mb_ereg_replace_eval_option>.
 [2016-07-28 12:42 UTC] cmb@php.net
-Status: Assigned +Status: Closed
 [2016-07-28 12:42 UTC] cmb@php.net 
> The latter is not yet documented, though.

Done - closing.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Thu Mar 13 21:01:32 2025 UTC