preg_replace should fail on trailing garbage
| Sec Bug #55856 | preg_replace should fail on trailing garbage | ||||
|---|---|---|---|---|---|
| Submitted: | 2011-10-06 05:03 UTC | Modified: | 2014-02-20 22:23 UTC | ||
| From: | reg dot php at alf dot nu | Assigned: | yohgaki (profile) | ||
| Status: | Closed | Package: | PCRE related | ||
| PHP Version: | 5.4.0beta1 | OS: | All | ||
| Private report: | No | CVE-ID: | None | ||
[2011-10-06 05:03 UTC] reg dot php at alf dot nu
Description:
------------
The following (ill-advised but not uncommon) code...
preg_replace('/'.$a.'/i', $b, $c)
will eval $b if $a contains "/e\0".
Good fix: turn null bytes into backslash-zero before passing them to PCRE.
Easier fix: check that 'pp' is actually at the end of the string and not just at
some random null byte after the modifier loop in pcre_get_compiled_regex_cache,
and error out if not.
Test script:
---------------
$word = "die('Lalala'); 1||1/e\0";
// Slightly contrived example, but let's pretend we're
// case-normalizing a user-provided word, and forgot to
// preg_quote
$text = preg_replace('/'.$word.'/i', $word, $text);
Expected result:
----------------
"preg_replace(): Unknown modifier '\0' in ..."
(or some better error message)
Actual result:
--------------
Code execution.
Patches
Pull Requests
History
AllCommentsChangesGit/SVN commits
[2014-02-20 22:23 UTC] yohgaki@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: yohgaki