PHP :: Bug #30552 :: Apache Crash with a regular expression

Bug #30552

Apache Crash with a regular expression

Submitted:

2004-10-25 16:31 UTC

Modified:

2005-01-04 11:50 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

cristic at interaktonline dot com

Assigned:

Status:

Not a bug

Package:

Apache2 related

PHP Version:

4.3.9

OS:

Windows XP Home Edition

Private report:

CVE-ID:

None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	cristic at interaktonline dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2004-10-25 16:31 UTC] cristic at interaktonline dot com

Description:
------------
Crashing configurations:

Apache 2.0.50
with PHP 4.3.7, 4.3.8, 4.3.9
or 
Apache 2.0.48
with PHP 4.3.6
OS Win XP Home Edition

The code below is not crashing with PHP 4.3.7, 4.3.8 or 4.3.9 and Apache 1.3.31 same OS.

Reproduce code:
---------------
<?php 
$sql = "SELECT sur_survey_ssr.id_ssr,sur_survey_ssr.name_ssr, sur_survey_ssr.welcome_ssr,sur_survey_ssr.thankyou_ssr, sur_survey_ssr.footer_ssr,sur_survey_ssr.header_ssr, sur_survey_ssr.startdate_ssr,sur_survey_ssr.enddate_ssr, sur_survey_ssr.url_ssr,sur_survey_ssr.active_ssr, count(s2.id_srs) as responses, count(s1.id_srs) as test FROM sur_survey_ssr  LEFT JOIN sur_response_srs s2 ON id_ssr=s2.idssr_srs LEFT JOIN sur_response_srs s1 ON id_ssr=s1.idssr_srs AND s1.test_srs=1 WHERE 1=1 GROUP BY sur_survey_ssr.id_ssr ORDER BY startdate_ssr DESC";

if (preg_match('/^(\s|\n|\r)*select(.|\n|\r)*limit\s+-?[0-9]+(\s|\n|\r)*(,(\s|\n|\r)*-{0,1}[0-9]+){0,1}(\s|\n|\r)*$/im', $sql, $matches)){
	die('a');
}else{
	die('b');
}
?>

Expected result:
----------------
- The regular expression should match any string which start with 'SELECT' SQL keyword and ending with a LIMIT SQL condition.


Actual result:
--------------
- When this specific string is specified, contained into the $sql variable, the apache process is crashing.

- Backtracking the problem I found out that the following regular expression is stop crashing the Web Server:

'/^(\s|\n|\r)*select(\n|\r)*limit\s+-?[0-9]+(\s|\n|\r)*(,(\s|\n|\r)*-{0,1}[0-9]+){0,1}(\s|\n|\r)*$/im'

- the crash appears immediate, its not an infinite loop

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2004-11-10 09:18 UTC] cmarin at interaktonline dot com

I'm back:

The bug appears to have a memory allocation issue when tries to split the string. A work around is the use of the 's' modifier.

The following RegExp having the same results works:

'/^(\s|\n|\r)*select.*limit\s+-?[0-9]+(\s|\n|\r)*(,(
\s|\n|\r)*-{0,1}[0-9]+){0,1}(\s|\n|\r)*$/ims'

[2005-01-04 11:50 UTC] sniper@php.net

Not PHP bug. (PCRE has limitations..)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu May 02 01:01:30 2024 UTC