php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77364 preg_quote incorrectly escapes # character
Submitted: 2018-12-28 17:00 UTC Modified: 2019-01-02 09:32 UTC
From: peku33 at gmail dot com Assigned:
Status: Not a bug Package: *Regular Expressions
PHP Version: 7.3.0 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: peku33 at gmail dot com
New email:
PHP Version: OS:

 

 [2018-12-28 17:00 UTC] peku33 at gmail dot com
Description:
------------
preg_quote function escapes # character, while it shouldn't.

This breaks IPBoard 4.3.6 forums in which friendly urls uses custom regexes with #, @, ? characters in url templates. Urls are passed through preg_quote function and # is replaced with \#. In next section {#} should be replaced with (\d+), but this fails, since there is {#} but {\#}.


PHP 7.3.0-2 (cli) (built: Dec 17 2018 09:51:53) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.0-dev, Copyright (c) 1998-2018 Zend Technologies
    with Zend OPcache v7.3.0-2, Copyright (c) 1999-2018, by Zend Technologies

Test script:
---------------
<?php

        $inputs = ['#', '?', '@'];
        foreach($inputs as $input)
        {
                var_dump($input, preg_quote($input));
        }




Expected result:
----------------
string(1) "#"
string(1) "#"
string(1) "?"
string(2) "\?"
string(1) "@"
string(1) "@"

Actual result:
--------------
string(1) "#"
string(2) "\#"
string(1) "?"
string(2) "\?"
string(1) "@"
string(1) "@"

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-12-28 23:05 UTC] cmb@php.net
> preg_quote function escapes # character, while it shouldn't.

This has been deliberately done to fix bug #75355.  Unfortunately,
this ticket has missed the deadline[1], and it seems to me that
reverting now could do more harm than good.

[1] <https://github.com/php/php-src/pull/2838#issuecomment-352194335>
 [2019-01-02 09:32 UTC] nikic@php.net
-Status: Open +Status: Not a bug
 [2019-01-02 09:32 UTC] nikic@php.net
Yeah, this is an intentional change (and documented on http://php.net/preg_quote), and I don't believe we will go back on it. "#" is a special character inside regular expressions under some circumstances, and not escaping it could result in a security issue.

In your particular case, it looks like you should be able to accommodate the new behavior by replacing both '\#' and '#' with '\d'.
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sun Apr 11 04:01:24 2021 UTC