#49091 [Ana]: preg_replace bug and potential security issue

Tue, 28 Jul 2009 16:23:20 -0700 

 ID:               49091
 Updated by:       ras...@php.net
 Reported By:      nomail at example dot com
 Status:           Analyzed
 Bug Type:         *Regular Expressions
 Operating System: Debian Linux 5.0 Lenny
 PHP Version:      5.2.10
 New Comment:

Note also that if you crank up the backtrack limit in pcre, your second
example works:

pcre.backtrack_limit=1000000


Previous Comments:
------------------------------------------------------------------------

[2009-07-28 23:15:32] ras...@php.net

PREG_SET_ORDER is not an error constant.  The actual error is
PREG_BACKTRACK_LIMIT_ERROR which is set when the pcre library returns a
PCRE_ERROR_MATCHLIMIT

Run the command-line pcre test tool and file a bug with pcre if you
think this is a bug.



------------------------------------------------------------------------

[2009-07-28 22:36:02] nomail at example dot com

Description:
------------
Using the latest stable Debian's PHP 5.2.6-1+lenny3. Can't use anything
newer on this production server, sorry.

Note that this malfunction in regular expressions might create
exploitable application vulnerabilities (for example, a forum routine to
sanitize posts). So this should be treated as a security fix.


// This code works as expected and outputs: ttt www.exa.com/ZZZ ttt 

echo preg_replace( 
         '#([a-z\.]+)+ZZZ#',
         'i',
         'ttt www.exa.com/ZZZ ttt');


// The following code is the same but it will not work, even though it
// should. It will produce just an empty string. The only difference
// between this call and the previous call is that the text contains
// a LONGER domain name (instead of "exa", it contains the word
// "example").

echo preg_replace( 
         '#([a-z\.]+)+ZZZ#',
         'i',
         'ttt www.example.com/ZZZ ttt');


Note: preg_last_error() returns the bogus PREG_SET_ORDER, which should
apply only to preg_match_all() and not to preg_replace().

Reproduce code:
---------------
echo preg_replace( 
         '#([a-z\.]+)+ZZZ#',
         'i',
         'ttt www.example.com/ZZZ ttt');

Expected result:
----------------
ttt www.example.com/ZZZ ttt 

Actual result:
--------------
Empty string


------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=49091&edit=1

Reply via email to