From: spam04 at pornel dot net Operating system: * PHP version: 5.2.9 PHP Bug Type: PCRE related Bug description: preg_replace /e modifier allows unexpected code execution
Description: ------------ preg_replace does not escape $ character. If double quotes are used in replacement code, this enables unwanted injection of variables or even execution of PHP code. My suggestion is to escape $ character and discourage use of single quotes in replacement code (because they're not compatible with the way $ and " are escaped). Reproduce code: --------------- // simple case: preg_replace('/.*/e','strtoupper("$0")', '$foo'); // code execution: class test { function pwnd() {echo "pwnd!\n";} function replace($str) { preg_replace('/.*/e','strtoupper("$0")', $str); } } $t = new test(); $t->replace('{$this->pwnd()}'); Expected result: ---------------- $FOO {$THIS->PWND()} Actual result: -------------- PHP Notice: Undefined variable: foo pwnd! -- Edit bug report at http://bugs.php.net/?id=47796&edit=1 -- Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=47796&r=trysnapshot52 Try a CVS snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=47796&r=trysnapshot53 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=47796&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=47796&r=fixedcvs Fixed in CVS and need be documented: http://bugs.php.net/fix.php?id=47796&r=needdocs Fixed in release: http://bugs.php.net/fix.php?id=47796&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=47796&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=47796&r=needscript Try newer version: http://bugs.php.net/fix.php?id=47796&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=47796&r=support Expected behavior: http://bugs.php.net/fix.php?id=47796&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=47796&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=47796&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=47796&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=47796&r=php4 Daylight Savings: http://bugs.php.net/fix.php?id=47796&r=dst IIS Stability: http://bugs.php.net/fix.php?id=47796&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=47796&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=47796&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=47796&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=47796&r=mysqlcfg