php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #65079 mb_ereg_replace's e modifier should be deprecated
Submitted: 2013-06-21 00:23 UTC Modified: 2016-07-28 12:42 UTC
From: masakielastic at gmail dot com Assigned: cmb (profile)
Status: Closed Package: mbstring related
PHP Version: 5.5.0 OS: Any
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: masakielastic at gmail dot com
New email:
PHP Version: OS:

 

 [2013-06-21 00:23 UTC] masakielastic at gmail dot com 
Description:
------------
mb_ereg_replace's e modifier should be deprecated for prevent PHP's code 
execution and the explanation for using mb_ereg_replace_callback (since PHP 
5.4.1) should be added in the manual. 

PHP: code execution via mb_ereg_replace
http://vigilance.fr/vulnerability/PHP-code-execution-via-mb-ereg-replace-8711

The reason why preg_replace's e modifier was deprecated in PHP 5.5 can be 
applied to mb_ereg_replace's e modifier.

http://www.php.net/manual/en/function.preg-replace.php
https://wiki.php.net/rfc/remove_preg_replace_eval_modifier

There is an example of implementation of mb_ereg_replace_callback as a user 
function.

http://d.hatena.ne.jp/hnw/20110206

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-06-28 06:01 UTC] yohgaki@php.net 
Comment for clarification.

Not like preg_replace(), mb_ereg_replace()'s 'e' modifier is specified as 
separate parameter. preg_replace() allow to set 'e' modifier in regex and this 
made preg_replace() much more dangerous than mb_ereg_replace().

However, callback is much more secure. Therefore, implementation of 
mb_ereg_replace_callback() is highly encouraged.
 [2016-07-28 12:12 UTC] cmb@php.net
-Assigned To: +Assigned To: cmb
 [2016-07-28 12:12 UTC] cmb@php.net 
mb_ereg_replace_callback() is available as of PHP 5.4.1[1]; the 'e'
modifier is deprecated as of PHP 7.1.0[2]. The latter is not yet
documented, though.

[1] <http://php.net/manual/en/function.mb-ereg-replace-callback.php>
[2] <https://wiki.php.net/rfc/deprecate_mb_ereg_replace_eval_option>.
 [2016-07-28 12:42 UTC] cmb@php.net
-Status: Assigned +Status: Closed
 [2016-07-28 12:42 UTC] cmb@php.net 
> The latter is not yet documented, though.

Done - closing.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Tue Apr 16 11:01:29 2024 UTC