ID: 35960 Updated by: [EMAIL PROTECTED] Reported By: djmaze at cpgnuke dot com -Status: Open +Status: Bogus Bug Type: *Regular Expressions Operating System: Windows PHP Version: 5.1.1 New Comment:
e If this modifier is set, preg_replace() does normal substitution of backreferences in the replacement string, *evaluates it as PHP code*, and uses the result for replacing the search string. Single and double quotes are escaped by backslashes in substituted backreferences. (c) http://php.net/manual/en/reference.pcre.pattern.modifiers.php I don't see a reason for "e" to backslash "$". This is expected and well documented. Previous Comments: ------------------------------------------------------------------------ [2006-01-10 12:31:09] djmaze at cpgnuke dot com If you preg_replace() submitted data thru $_GET or $_POST i can for example put in $_GET something like: $_GET['input'] = '$foobar'; This means either update the documentation with an note stating that using the 'e' modifier the function doesn't backslash $ or force it to do so. Because "echo $_GET['input'];" outputs $foobar and the preg_replace() outputs the content of $foobar ------------------------------------------------------------------------ [2006-01-10 12:20:31] [EMAIL PROTECTED] Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://www.php.net/manual/ and the instructions on how to report a bug at http://bugs.php.net/how-to-report.php echo $exploited; is much more easier way to output a variable. ------------------------------------------------------------------------ [2006-01-10 12:14:58] djmaze at cpgnuke dot com Description: ------------ When using preg_replace() with the 'e' modifier you can exploit variables since the $ sign doesn't get backslashed. Tested on several PHP versions both 4.x and 5.x Reproduce code: --------------- <?php error_reporting(E_ALL); $exploited = 'my password'; $exploit = '[php]$exploited[/php]'; function highlight_php($txt) { return "<pre>$txt</pre>"; } echo preg_replace('#\[PHP\](.*?)\[/PHP\]#sie', 'highlight_php("\\1")', $exploit); # exploited echo preg_replace('#\[PHP\](.*?)\[/PHP\]#sie', 'highlight_php(\'\\1\')', $exploit); # no exploit ?> Expected result: ---------------- <pre>$exploited</pre> Actual result: -------------- <pre>my password</pre> ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=35960&edit=1
