#49091 [NEW]: preg_replace bug and potential security issue

Tue, 28 Jul 2009 15:36:12 -0700 

From:             nomail at example dot com
Operating system: Debian Linux 5.0 Lenny
PHP version:      5.2.10
PHP Bug Type:     *Regular Expressions
Bug description:  preg_replace bug and potential security issue

Description:
------------
Using the latest stable Debian's PHP 5.2.6-1+lenny3. Can't use anything
newer on this production server, sorry.

Note that this malfunction in regular expressions might create exploitable
application vulnerabilities (for example, a forum routine to sanitize
posts). So this should be treated as a security fix.


// This code works as expected and outputs: ttt www.exa.com/ZZZ ttt 

echo preg_replace( 
         '#([a-z\.]+)+ZZZ#',
         'i',
         'ttt www.exa.com/ZZZ ttt');


// The following code is the same but it will not work, even though it
// should. It will produce just an empty string. The only difference
// between this call and the previous call is that the text contains
// a LONGER domain name (instead of "exa", it contains the word
// "example").

echo preg_replace( 
         '#([a-z\.]+)+ZZZ#',
         'i',
         'ttt www.example.com/ZZZ ttt');


Note: preg_last_error() returns the bogus PREG_SET_ORDER, which should
apply only to preg_match_all() and not to preg_replace().

Reproduce code:
---------------
echo preg_replace( 
         '#([a-z\.]+)+ZZZ#',
         'i',
         'ttt www.example.com/ZZZ ttt');

Expected result:
----------------
ttt www.example.com/ZZZ ttt 

Actual result:
--------------
Empty string

-- 
Edit bug report at http://bugs.php.net/?id=49091&edit=1
-- 
Try a snapshot (PHP 5.2):            
http://bugs.php.net/fix.php?id=49091&r=trysnapshot52
Try a snapshot (PHP 5.3):            
http://bugs.php.net/fix.php?id=49091&r=trysnapshot53
Try a snapshot (PHP 6.0):            
http://bugs.php.net/fix.php?id=49091&r=trysnapshot60
Fixed in SVN:                        
http://bugs.php.net/fix.php?id=49091&r=fixed
Fixed in SVN and need be documented: 
http://bugs.php.net/fix.php?id=49091&r=needdocs
Fixed in release:                    
http://bugs.php.net/fix.php?id=49091&r=alreadyfixed
Need backtrace:                      
http://bugs.php.net/fix.php?id=49091&r=needtrace
Need Reproduce Script:               
http://bugs.php.net/fix.php?id=49091&r=needscript
Try newer version:                   
http://bugs.php.net/fix.php?id=49091&r=oldversion
Not developer issue:                 
http://bugs.php.net/fix.php?id=49091&r=support
Expected behavior:                   
http://bugs.php.net/fix.php?id=49091&r=notwrong
Not enough info:                     
http://bugs.php.net/fix.php?id=49091&r=notenoughinfo
Submitted twice:                     
http://bugs.php.net/fix.php?id=49091&r=submittedtwice
register_globals:                    
http://bugs.php.net/fix.php?id=49091&r=globals
PHP 4 support discontinued:          http://bugs.php.net/fix.php?id=49091&r=php4
Daylight Savings:                    http://bugs.php.net/fix.php?id=49091&r=dst
IIS Stability:                       
http://bugs.php.net/fix.php?id=49091&r=isapi
Install GNU Sed:                     
http://bugs.php.net/fix.php?id=49091&r=gnused
Floating point limitations:          
http://bugs.php.net/fix.php?id=49091&r=float
No Zend Extensions:                  
http://bugs.php.net/fix.php?id=49091&r=nozend
MySQL Configuration Error:           
http://bugs.php.net/fix.php?id=49091&r=mysqlcfg

Reply via email to