php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72501 create_function can execute code
Submitted: 2016-06-27 10:16 UTC Modified: 2016-06-27 19:37 UTC
From: loianhtuan at gmail dot com Assigned:
Status: Not a bug Package: Unknown/Other Function
PHP Version: 7.1Git-2016-06-27 (Git) OS:
Private report: No CVE-ID: None
 [2016-06-27 10:16 UTC] loianhtuan at gmail dot com
Description:
------------
create_function puts the given arguments to the "function" block then eval, so attacker can use a close bracket to escape this block and execute the code without calling the new function.



Test script:
---------------
<?php
$a = create_function('$b','}echo "this should not be executed\n";{');
?>

Expected result:
----------------
vps@pc:~ /opt/php7/bin/php a.php
vps@pc:~

Actual result:
--------------
vps@pc:~ /opt/php7/bin/php -v
PHP 7.1.0-dev (cli) (built: Jun 27 2016 11:16:33) ( NTS DEBUG )
Copyright (c) 1997-2016 The PHP Group
Zend Engine v3.1.0-dev, Copyright (c) 1998-2016 Zend Technologies

vps@pc:~ /opt/php7/bin/php a.php
this should not be executed

vps@pc:~

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-06-27 19:37 UTC] stas@php.net
-Status: Open +Status: Not a bug -Type: Security +Type: Bug
 [2016-06-27 19:37 UTC] stas@php.net
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

If you allow user-specified data into the body of your created functions, you should filter that data. Also, create_function is not recommended for use in any current version of PHP, see http://php.net/create_function
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 19:01:29 2024 UTC