php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #55856 preg_replace should fail on trailing garbage
Submitted: 2011-10-06 05:03 UTC Modified: 2014-02-20 22:23 UTC
From: reg dot php at alf dot nu Assigned: yohgaki
Status: Closed Package: PCRE related
PHP Version: 5.4.0beta1 OS: All
Private report: No CVE-ID:
 [2011-10-06 05:03 UTC] reg dot php at alf dot nu
Description:
------------
The following (ill-advised but not uncommon) code...

   preg_replace('/'.$a.'/i', $b, $c)

will eval $b if $a contains "/e\0".

Good fix: turn null bytes into backslash-zero before passing them to PCRE.

Easier fix: check that 'pp' is actually at the end of the string and not just at 
some random null byte after the modifier loop in pcre_get_compiled_regex_cache, 
and error out if not.

Test script:
---------------
 $word = "die('Lalala'); 1||1/e\0";

// Slightly contrived example, but let's pretend we're
// case-normalizing a user-provided word, and forgot to
// preg_quote

$text = preg_replace('/'.$word.'/i', $word, $text);


Expected result:
----------------
"preg_replace(): Unknown modifier '\0' in ..."

(or some better error message)

Actual result:
--------------
Code execution.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-10-06 05:10 UTC] reg dot php at alf dot nu
Uploading a patch failed (probably because I can't see the task)

Try http://stuff.alf.nu/pcre_null_byte.patch
 [2014-02-20 22:23 UTC] yohgaki@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: yohgaki
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 23 18:01:55 2014 UTC