From: jason at vancetech dot com Operating system: FreeBSD 6.1 PHP version: 4.4.4 PHP Bug Type: PCRE related Bug description: preg_replace allows backreferences from a replacement string
Description: ------------ preg_replace allows backreferences from the replacement string which seems insecure. Parsing every replacement string is necessary when data comes from a tainted source. Perl handles this nicely by only allowing backreference's that are used directly in the replacement text and not contained in a {tainted} string. Reproduce code: --------------- $text = 'This item costs $0.99'; $html = '<b>%COST%No items%COST%</b>'; print preg_replace('/%COST%.*?%COST%/i', $text, $html); Expected result: ---------------- <b>This item costs $0.99</b> Actual result: -------------- This item costs %COST%No items%COST%.99 -- Edit bug report at http://bugs.php.net/?id=38920&edit=1 -- Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=38920&r=trysnapshot44 Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=38920&r=trysnapshot52 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=38920&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=38920&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=38920&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=38920&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=38920&r=needscript Try newer version: http://bugs.php.net/fix.php?id=38920&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=38920&r=support Expected behavior: http://bugs.php.net/fix.php?id=38920&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=38920&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=38920&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=38920&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=38920&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=38920&r=dst IIS Stability: http://bugs.php.net/fix.php?id=38920&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=38920&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=38920&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=38920&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=38920&r=mysqlcfg