|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-06-27 19:37 UTC] stas@php.net
-Status: Open
+Status: Not a bug
-Type: Security
+Type: Bug
[2016-06-27 19:37 UTC] stas@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Tue May 13 10:01:27 2025 UTC |
Description: ------------ create_function puts the given arguments to the "function" block then eval, so attacker can use a close bracket to escape this block and execute the code without calling the new function. Test script: --------------- <?php $a = create_function('$b','}echo "this should not be executed\n";{'); ?> Expected result: ---------------- vps@pc:~ /opt/php7/bin/php a.php vps@pc:~ Actual result: -------------- vps@pc:~ /opt/php7/bin/php -v PHP 7.1.0-dev (cli) (built: Jun 27 2016 11:16:33) ( NTS DEBUG ) Copyright (c) 1997-2016 The PHP Group Zend Engine v3.1.0-dev, Copyright (c) 1998-2016 Zend Technologies vps@pc:~ /opt/php7/bin/php a.php this should not be executed vps@pc:~