"James E. Flemer" <[EMAIL PROTECTED]> wrote... : > I found a more evil example: > > <?php > $a = "___! `rm -rf /tmp/sess_*` !___"; > $b = preg_replace("/!(.*)!/e", "print(\\1);", $a); > ?> > > This happily executes "rm -rf /tmp/sess_*". I will not > give out more examples, but if one examines the code for > addslashes() it is quite obvious what you can an cannot do > here. Thus it is clearly a Bad Thing for someone to use > preg_replace with the /e modifier and not use quotes around > the \\n or $n backrefs. > > The docs should be updated to include a very noticeable > warning about this hole. I am contemplating possible > solutions for this problem... > > Also as a side note, it does not seem to be possible to use > 'echo' as part of the expression, print must be used. (Yes > I know why, just pointing it out.) > > -James > > > On Thu, 30 Jan 2003, James E. Flemer wrote: > > > Can someone explain what is going on here: > > > > --- foo.php --- > > <?php > > $a = "___! 52); echo(42 !___"; > > $b = preg_replace("/!(.*)!/e", "print(\\1);", $a); > > print("\n---\na: $a\nb: $b\n"); > > ?> > > --- end --- > > --- output --- > > 52 > > --- > > a: ___! 52); echo(42 !___ > > b: ___1___ > > --- end --- > > > > I understand that one is supposed to use single quotes > > around the \\1 in the above preg_replace. But what happens > > when they do not? Clearly the echo(42); is not executed, > > and it is not printed by print(). Even more interesting is > > if you put something like echo(\"42 in $a, then you get a > > bunch of errors including: > > Fatal error - Failed evaluating code: > > print( 52); echo(\"42 );
In fact, /e eval()uates the code. It does with the replaced result just what eval() does with a string PHP code. At most, it could be noted in docs. -- Maxim Maletsky [EMAIL PROTECTED] -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php