php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #47796 preg_replace /e modifier allows unexpected code execution
Submitted: 2009-03-26 22:36 UTC Modified: 2009-03-26 22:45 UTC
From: spam04 at pornel dot net Assigned:
Status: Not a bug Package: PCRE related
PHP Version: 5.2.9 OS: *
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: spam04 at pornel dot net
New email:
PHP Version: OS:

 

 [2009-03-26 22:36 UTC] spam04 at pornel dot net
Description:
------------
preg_replace does not escape $ character. If double quotes are used in 
replacement code, this enables unwanted injection of variables or even 
execution of PHP code.

My suggestion is to escape $ character and discourage use of single 
quotes in replacement code (because they're not compatible with the way 
$ and " are escaped).


Reproduce code:
---------------
// simple case:
preg_replace('/.*/e','strtoupper("$0")', '$foo');

// code execution:
class test
{
    function pwnd() {echo "pwnd!\n";}
    
    function replace($str)
    {
        preg_replace('/.*/e','strtoupper("$0")', $str);
    }
}

$t = new test();
$t->replace('{$this->pwnd()}');


Expected result:
----------------
$FOO
{$THIS->PWND()}

Actual result:
--------------
PHP Notice:  Undefined variable: foo
pwnd!

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-03-26 22:38 UTC] spam04 at pornel dot net
I forgot to add echo before preg_replace() in reproduce code.
 [2009-03-26 22:45 UTC] scottmac@php.net
Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions.  Due to the volume
of reports we can not explain in detail here why your report is not
a bug.  The support channels will be able to provide an explanation
for you.

Thank you for your interest in PHP.

Use preg_replace_callback instead.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 17:01:29 2024 UTC