Can someone explain what is going on here:
--- foo.php ---
<?php
$a = "___! 52); echo(42 !___";
$b = preg_replace("/!(.*)!/e", "print(\\1);", $a);
print("\n---\na: $a\nb: $b\n");
?>
--- end ---
--- output ---
52
---
a: ___! 52); echo(42 !___
b: ___1___
--- end ---
I understand that one is supposed to use single quotes
around the \\1 in the above preg_replace. But what happens
when they do not? Clearly the echo(42); is not executed,
and it is not printed by print(). Even more interesting is
if you put something like echo(\"42 in $a, then you get a
bunch of errors including:
Fatal error - Failed evaluating code:
print( 52); echo(\"42 );
It seems like preg_replace() is doing some strange things,
and might be something that could be exploitable if a
remote user can supply the first argument, and the second
argument does not enclose \\n options.
-James
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php
