ID: 39679
Updated by: [EMAIL PROTECTED]
Reported By: silverbanana at gmx dot de
-Status: Open
+Status: Bogus
Bug Type: PCRE related
Operating System: Any
PHP Version: 6CVS-2006-11-29 (CVS)
New Comment:
You must filter all the data coming from external sources.
ext/filter is one of the tools you can use for that.
Previous Comments:
------------------------------------------------------------------------
[2006-11-29 10:12:43] silverbanana at gmx dot de
Description:
------------
preg_replace offers the e modifier to evaluate a replacement string as
PHP code and use the result of that code for the replacement. This is a
very powerful feature. There is, however one problem:
If you want to get the string found by preg_replace things can get
complicated, dangerous, even impossible:
This should replace anything between a and b by giving it's strlen.
$search[0]="/a(.*)b/e";
$replace[0]="strlen('\\1')";
$result=preg_replace($search, $replace, $_GET['in']);
Obviously it is possible to do very bad things here, because
$_GET['in'] might be a string like: "');dosthbad();$a=('".
Expected result:
----------------
It would be good to have a predefined variable available inside the
eval'ed PHP code, that just contains all the values for the
parenthesis. Assume this is called $found. Then one could write
something like this:
$search[0]="/a(.*)b/e"; // same as before
$replace[0]='strlen($found[1])'; // <- changed
$result=preg_replace($search, $replace, $_GET['in']); // same
And this time things would be safe. Possibly it might be useful to
introduce this functionality under a different modifier, but I think it
would be a significant improvement for many applications.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=39679&edit=1
