#47796 [NEW]: preg_replace /e modifier allows unexpected code execution

Thu, 26 Mar 2009 15:36:20 -0700 

From:             spam04 at pornel dot net
Operating system: *
PHP version:      5.2.9
PHP Bug Type:     PCRE related
Bug description:  preg_replace /e modifier allows unexpected code execution

Description:
------------
preg_replace does not escape $ character. If double quotes are used in 
replacement code, this enables unwanted injection of variables or even 
execution of PHP code.

My suggestion is to escape $ character and discourage use of single 
quotes in replacement code (because they're not compatible with the way 
$ and " are escaped).


Reproduce code:
---------------
// simple case:
preg_replace('/.*/e','strtoupper("$0")', '$foo');

// code execution:
class test
{
    function pwnd() {echo "pwnd!\n";}
    
    function replace($str)
    {
        preg_replace('/.*/e','strtoupper("$0")', $str);
    }
}

$t = new test();
$t->replace('{$this->pwnd()}');


Expected result:
----------------
$FOO
{$THIS->PWND()}

Actual result:
--------------
PHP Notice:  Undefined variable: foo
pwnd!

-- 
Edit bug report at http://bugs.php.net/?id=47796&edit=1
-- 
Try a CVS snapshot (PHP 5.2):        
http://bugs.php.net/fix.php?id=47796&r=trysnapshot52
Try a CVS snapshot (PHP 5.3):        
http://bugs.php.net/fix.php?id=47796&r=trysnapshot53
Try a CVS snapshot (PHP 6.0):        
http://bugs.php.net/fix.php?id=47796&r=trysnapshot60
Fixed in CVS:                        
http://bugs.php.net/fix.php?id=47796&r=fixedcvs
Fixed in CVS and need be documented: 
http://bugs.php.net/fix.php?id=47796&r=needdocs
Fixed in release:                    
http://bugs.php.net/fix.php?id=47796&r=alreadyfixed
Need backtrace:                      
http://bugs.php.net/fix.php?id=47796&r=needtrace
Need Reproduce Script:               
http://bugs.php.net/fix.php?id=47796&r=needscript
Try newer version:                   
http://bugs.php.net/fix.php?id=47796&r=oldversion
Not developer issue:                 
http://bugs.php.net/fix.php?id=47796&r=support
Expected behavior:                   
http://bugs.php.net/fix.php?id=47796&r=notwrong
Not enough info:                     
http://bugs.php.net/fix.php?id=47796&r=notenoughinfo
Submitted twice:                     
http://bugs.php.net/fix.php?id=47796&r=submittedtwice
register_globals:                    
http://bugs.php.net/fix.php?id=47796&r=globals
PHP 4 support discontinued:          http://bugs.php.net/fix.php?id=47796&r=php4
Daylight Savings:                    http://bugs.php.net/fix.php?id=47796&r=dst
IIS Stability:                       
http://bugs.php.net/fix.php?id=47796&r=isapi
Install GNU Sed:                     
http://bugs.php.net/fix.php?id=47796&r=gnused
Floating point limitations:          
http://bugs.php.net/fix.php?id=47796&r=float
No Zend Extensions:                  
http://bugs.php.net/fix.php?id=47796&r=nozend
MySQL Configuration Error:           
http://bugs.php.net/fix.php?id=47796&r=mysqlcfg

Reply via email to