From: cristic at interaktonline dot com
Operating system: Windows XP Home Edition
PHP version: 4.3.9
PHP Bug Type: Reproducible crash
Bug description: Apache Crash with a regular expression
Description:
------------
Crashing configurations:
Apache 2.0.50
with PHP 4.3.7, 4.3.8, 4.3.9
or
Apache 2.0.48
with PHP 4.3.6
OS Win XP Home Edition
The code below is not crashing with PHP 4.3.7, 4.3.8 or 4.3.9 and Apache
1.3.31 same OS.
Reproduce code:
---------------
<?php
$sql = "SELECT sur_survey_ssr.id_ssr,sur_survey_ssr.name_ssr,
sur_survey_ssr.welcome_ssr,sur_survey_ssr.thankyou_ssr,
sur_survey_ssr.footer_ssr,sur_survey_ssr.header_ssr,
sur_survey_ssr.startdate_ssr,sur_survey_ssr.enddate_ssr,
sur_survey_ssr.url_ssr,sur_survey_ssr.active_ssr, count(s2.id_srs) as
responses, count(s1.id_srs) as test FROM sur_survey_ssr LEFT JOIN
sur_response_srs s2 ON id_ssr=s2.idssr_srs LEFT JOIN sur_response_srs s1
ON id_ssr=s1.idssr_srs AND s1.test_srs=1 WHERE 1=1 GROUP BY
sur_survey_ssr.id_ssr ORDER BY startdate_ssr DESC";
if
(preg_match('/^(\s|\n|\r)*select(.|\n|\r)*limit\s+-?[0-9]+(\s|\n|\r)*(,(\s|\n|\r)*-{0,1}[0-9]+){0,1}(\s|\n|\r)*$/im',
$sql, $matches)){
die('a');
}else{
die('b');
}
?>
Expected result:
----------------
- The regular expression should match any string which start with 'SELECT'
SQL keyword and ending with a LIMIT SQL condition.
Actual result:
--------------
- When this specific string is specified, contained into the $sql
variable, the apache process is crashing.
- Backtracking the problem I found out that the following regular
expression is stop crashing the Web Server:
'/^(\s|\n|\r)*select(\n|\r)*limit\s+-?[0-9]+(\s|\n|\r)*(,(\s|\n|\r)*-{0,1}[0-9]+){0,1}(\s|\n|\r)*$/im'
- the crash appears immediate, its not an infinite loop
--
Edit bug report at http://bugs.php.net/?id=30552&edit=1
--
Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=30552&r=trysnapshot4
Try a CVS snapshot (php5.0): http://bugs.php.net/fix.php?id=30552&r=trysnapshot50
Try a CVS snapshot (php5.1): http://bugs.php.net/fix.php?id=30552&r=trysnapshot51
Fixed in CVS: http://bugs.php.net/fix.php?id=30552&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=30552&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=30552&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=30552&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=30552&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=30552&r=support
Expected behavior: http://bugs.php.net/fix.php?id=30552&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=30552&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=30552&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=30552&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=30552&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=30552&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=30552&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=30552&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=30552&r=float
MySQL Configuration Error: http://bugs.php.net/fix.php?id=30552&r=mysqlcfg
