[prev in list] [next in list] [prev in thread] [next in thread]
List: php-doc-cvs
Subject: [DOC-CVS] =?utf-8?q?svn:_/phpdoc/en/trunk/reference/pcre/_pattern.modifiers.xml?=
From: Nikita_Popov <nikic () php ! net>
Date: 2012-06-19 12:43:00
Message-ID: svn-nikic-1340109780-326239-585696637 () svn ! php ! net
[Download RAW message or body]
nikic Tue, 19 Jun 2012 12:43:00 +0000
Revision: http://svn.php.net/viewvc?view=revision&revision=326239
Log:
Add /e modifier warning
As discussed on IRC this does not mention that it will be deprecated in 5.5, only \
says that it is "discouraged".
Changed paths:
U phpdoc/en/trunk/reference/pcre/pattern.modifiers.xml
Modified: phpdoc/en/trunk/reference/pcre/pattern.modifiers.xml
===================================================================
--- phpdoc/en/trunk/reference/pcre/pattern.modifiers.xml 2012-06-19 11:56:29 UTC (rev \
326238)
+++ phpdoc/en/trunk/reference/pcre/pattern.modifiers.xml 2012-06-19 12:43:00 UTC (rev \
326239) @@ -104,6 +104,58 @@
<function>preg_replace</function>.
</para>
</caution>
+ <caution>
+ <para>
+ <simpara>
+ Use of this modifier is <emphasis>discouraged</emphasis>, as it can easily \
introduce + security vulnerabilites:
+ </simpara>
+ <informalexample>
+ <programlisting role="php">
+<![CDATA[
+<?php
+$html = $_POST['html'];
+
+// uppercase headings
+$html = preg_replace(
+ '(<h([1-6])>(.*?)</h\1>)e',
+ '"<h$1>" . strtoupper("$2") . "</h$1>"',
+ $html
+);
+]]>
+ </programlisting>
+ </informalexample>
+ <simpara>
+ The above example code can be easily exploited by passing in a string such \
as + <literal><h1>{${eval($_GET[php_code])}}</h1></literal>. \
This gives + the attacker the ability to execute arbitrary PHP code and as \
such gives him + nearly complete access to your server.
+ </simpara>
+
+ <simpara>
+ To prevent this kind of remote code execution vulnerability the
+ <function>preg_replace_callback</function> function should be used \
instead: + </simpara>
+
+ <informalexample>
+ <programlisting role="php">
+<![CDATA[
+<?php
+$html = $_POST['html'];
+
+// uppercase headings
+$html = preg_replace_callback(
+ '(<h([1-6])>(.*?)</h\1>)',
+ function ($m) {
+ return "<h$m[1]>" . strtoupper($m[2]) . "</h$m[1]>";
+ },
+ $html
+);
+]]>
+ </programlisting>
+ </informalexample>
+ </para>
+ </caution>
<note>
<para>
Only <function>preg_replace</function> uses this modifier;
--
PHP Documentation Commits Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic