ID: 47796 Updated by: scott...@php.net Reported By: spam04 at pornel dot net -Status: Open +Status: Bogus Bug Type: PCRE related Operating System: * PHP Version: 5.2.9 New Comment:
Sorry, but your problem does not imply a bug in PHP itself. For a list of more appropriate places to ask for help using PHP, please visit http://www.php.net/support.php as this bug system is not the appropriate forum for asking support questions. Due to the volume of reports we can not explain in detail here why your report is not a bug. The support channels will be able to provide an explanation for you. Thank you for your interest in PHP. Use preg_replace_callback instead. Previous Comments: ------------------------------------------------------------------------ [2009-03-26 22:38:24] spam04 at pornel dot net I forgot to add echo before preg_replace() in reproduce code. ------------------------------------------------------------------------ [2009-03-26 22:36:08] spam04 at pornel dot net Description: ------------ preg_replace does not escape $ character. If double quotes are used in replacement code, this enables unwanted injection of variables or even execution of PHP code. My suggestion is to escape $ character and discourage use of single quotes in replacement code (because they're not compatible with the way $ and " are escaped). Reproduce code: --------------- // simple case: preg_replace('/.*/e','strtoupper("$0")', '$foo'); // code execution: class test { function pwnd() {echo "pwnd!\n";} function replace($str) { preg_replace('/.*/e','strtoupper("$0")', $str); } } $t = new test(); $t->replace('{$this->pwnd()}'); Expected result: ---------------- $FOO {$THIS->PWND()} Actual result: -------------- PHP Notice: Undefined variable: foo pwnd! ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=47796&edit=1
