From: nomail at example dot com Operating system: Debian Linux 5.0 Lenny PHP version: 5.2.10 PHP Bug Type: *Regular Expressions Bug description: preg_replace bug and potential security issue
Description: ------------ Using the latest stable Debian's PHP 5.2.6-1+lenny3. Can't use anything newer on this production server, sorry. Note that this malfunction in regular expressions might create exploitable application vulnerabilities (for example, a forum routine to sanitize posts). So this should be treated as a security fix. // This code works as expected and outputs: ttt www.exa.com/ZZZ ttt echo preg_replace( '#([a-z\.]+)+ZZZ#', 'i', 'ttt www.exa.com/ZZZ ttt'); // The following code is the same but it will not work, even though it // should. It will produce just an empty string. The only difference // between this call and the previous call is that the text contains // a LONGER domain name (instead of "exa", it contains the word // "example"). echo preg_replace( '#([a-z\.]+)+ZZZ#', 'i', 'ttt www.example.com/ZZZ ttt'); Note: preg_last_error() returns the bogus PREG_SET_ORDER, which should apply only to preg_match_all() and not to preg_replace(). Reproduce code: --------------- echo preg_replace( '#([a-z\.]+)+ZZZ#', 'i', 'ttt www.example.com/ZZZ ttt'); Expected result: ---------------- ttt www.example.com/ZZZ ttt Actual result: -------------- Empty string -- Edit bug report at http://bugs.php.net/?id=49091&edit=1 -- Try a snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=49091&r=trysnapshot52 Try a snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=49091&r=trysnapshot53 Try a snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=49091&r=trysnapshot60 Fixed in SVN: http://bugs.php.net/fix.php?id=49091&r=fixed Fixed in SVN and need be documented: http://bugs.php.net/fix.php?id=49091&r=needdocs Fixed in release: http://bugs.php.net/fix.php?id=49091&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=49091&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=49091&r=needscript Try newer version: http://bugs.php.net/fix.php?id=49091&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=49091&r=support Expected behavior: http://bugs.php.net/fix.php?id=49091&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=49091&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=49091&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=49091&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=49091&r=php4 Daylight Savings: http://bugs.php.net/fix.php?id=49091&r=dst IIS Stability: http://bugs.php.net/fix.php?id=49091&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=49091&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=49091&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=49091&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=49091&r=mysqlcfg