'[DOC-CVS] =?utf-8?q?svn:_/phpdoc/en/trunk/reference/pcre/_pattern.modifiers.xml?='

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       php-doc-cvs
Subject:    [DOC-CVS] =?utf-8?q?svn:_/phpdoc/en/trunk/reference/pcre/_pattern.modifiers.xml?=
From:       Nikita_Popov <nikic () php ! net>
Date:       2012-06-19 12:43:00
Message-ID: svn-nikic-1340109780-326239-585696637 () svn ! php ! net
[Download RAW message or body]

nikic                                    Tue, 19 Jun 2012 12:43:00 +0000

Revision: http://svn.php.net/viewvc?view=revision&revision=326239

Log:
Add /e modifier warning

As discussed on IRC this does not mention that it will be deprecated in 5.5, only \
says that it is "discouraged".

Changed paths:
    U   phpdoc/en/trunk/reference/pcre/pattern.modifiers.xml

Modified: phpdoc/en/trunk/reference/pcre/pattern.modifiers.xml
===================================================================
--- phpdoc/en/trunk/reference/pcre/pattern.modifiers.xml	2012-06-19 11:56:29 UTC (rev \
                326238)
+++ phpdoc/en/trunk/reference/pcre/pattern.modifiers.xml	2012-06-19 12:43:00 UTC (rev \
326239) @@ -104,6 +104,58 @@
          <function>preg_replace</function>.
         </para>
        </caution>
+       <caution>
+        <para>
+         <simpara>
+          Use of this modifier is <emphasis>discouraged</emphasis>, as it can easily \
introduce +          security vulnerabilites:
+         </simpara>
+         <informalexample>
+          <programlisting role="php">
+<![CDATA[
+<?php
+$html = $_POST['html'];
+
+// uppercase headings
+$html = preg_replace(
+    '(<h([1-6])>(.*?)</h\1>)e',
+    '"<h$1>" . strtoupper("$2") . "</h$1>"',
+    $html
+);
+]]>
+          </programlisting>
+         </informalexample>
+         <simpara>
+          The above example code can be easily exploited by passing in a string such \
as +          <literal>&lt;h1&gt;{${eval($_GET[php_code])}}&lt;/h1&gt;</literal>. \
This gives +          the attacker the ability to execute arbitrary PHP code and as \
such gives him +          nearly complete access to your server.
+         </simpara>
+
+         <simpara>
+          To prevent this kind of remote code execution vulnerability the
+          <function>preg_replace_callback</function> function should be used \
instead: +         </simpara>
+
+         <informalexample>
+          <programlisting role="php">
+<![CDATA[
+<?php
+$html = $_POST['html'];
+
+// uppercase headings
+$html = preg_replace_callback(
+    '(<h([1-6])>(.*?)</h\1>)',
+    function ($m) {
+        return "<h$m[1]>" . strtoupper($m[2]) . "</h$m[1]>";
+    },
+    $html
+);
+]]>
+          </programlisting>
+         </informalexample>
+        </para>
+       </caution>
        <note>
         <para>
          Only <function>preg_replace</function> uses this modifier;



-- 
PHP Documentation Commits Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic