ID: 47796
User updated by: spam04 at pornel dot net
Reported By: spam04 at pornel dot net
Status: Open
Bug Type: PCRE related
Operating System: *
PHP Version: 5.2.9
New Comment:
I forgot to add echo before preg_replace() in reproduce code.
Previous Comments:
------------------------------------------------------------------------
[2009-03-26 22:36:08] spam04 at pornel dot net
Description:
------------
preg_replace does not escape $ character. If double quotes are used in
replacement code, this enables unwanted injection of variables or even
execution of PHP code.
My suggestion is to escape $ character and discourage use of single
quotes in replacement code (because they're not compatible with the way
$ and " are escaped).
Reproduce code:
---------------
// simple case:
preg_replace('/.*/e','strtoupper("$0")', '$foo');
// code execution:
class test
{
function pwnd() {echo "pwnd!\n";}
function replace($str)
{
preg_replace('/.*/e','strtoupper("$0")', $str);
}
}
$t = new test();
$t->replace('{$this->pwnd()}');
Expected result:
----------------
$FOO
{$THIS->PWND()}
Actual result:
--------------
PHP Notice: Undefined variable: foo
pwnd!
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=47796&edit=1
