ID: 49091
Updated by: [email protected]
Reported By: nomail at example dot com
-Status: Open
+Status: Analyzed
Bug Type: *Regular Expressions
Operating System: Debian Linux 5.0 Lenny
PHP Version: 5.2.10
New Comment:
PREG_SET_ORDER is not an error constant. The actual error is
PREG_BACKTRACK_LIMIT_ERROR which is set when the pcre library returns a
PCRE_ERROR_MATCHLIMIT
Run the command-line pcre test tool and file a bug with pcre if you
think this is a bug.
Previous Comments:
------------------------------------------------------------------------
[2009-07-28 22:36:02] nomail at example dot com
Description:
------------
Using the latest stable Debian's PHP 5.2.6-1+lenny3. Can't use anything
newer on this production server, sorry.
Note that this malfunction in regular expressions might create
exploitable application vulnerabilities (for example, a forum routine to
sanitize posts). So this should be treated as a security fix.
// This code works as expected and outputs: ttt www.exa.com/ZZZ ttt
echo preg_replace(
'#([a-z\.]+)+ZZZ#',
'i',
'ttt www.exa.com/ZZZ ttt');
// The following code is the same but it will not work, even though it
// should. It will produce just an empty string. The only difference
// between this call and the previous call is that the text contains
// a LONGER domain name (instead of "exa", it contains the word
// "example").
echo preg_replace(
'#([a-z\.]+)+ZZZ#',
'i',
'ttt www.example.com/ZZZ ttt');
Note: preg_last_error() returns the bogus PREG_SET_ORDER, which should
apply only to preg_match_all() and not to preg_replace().
Reproduce code:
---------------
echo preg_replace(
'#([a-z\.]+)+ZZZ#',
'i',
'ttt www.example.com/ZZZ ttt');
Expected result:
----------------
ttt www.example.com/ZZZ ttt
Actual result:
--------------
Empty string
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=49091&edit=1
