rfc:remove_preg_replace_eval_modifier
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
rfc:remove_preg_replace_eval_modifier [2012/02/05 14:53] – nikic | rfc:remove_preg_replace_eval_modifier [2012/03/13 17:30] – Try to fix vote nikic | ||
---|---|---|---|
Line 3: | Line 3: | ||
* Date: 2012-02-04 | * Date: 2012-02-04 | ||
* Author: Nikita Popov < | * Author: Nikita Popov < | ||
- | * Status: | + | * Status: |
===== Summary ===== | ===== Summary ===== | ||
Line 35: | Line 35: | ||
For example the above example can be used to execute arbitrary PHP code by passing the string | For example the above example can be used to execute arbitrary PHP code by passing the string | ||
''< | ''< | ||
- | ''"< | + | '' |
'' | '' | ||
An example of a larger project which suffered from such a code injection vulnerability is RoundCube | An example of a larger project which suffered from such a code injection vulnerability is RoundCube | ||
- | (see [[this changeset|http:// | + | (see [[http:// |
=== Alternative === | === Alternative === | ||
Line 75: | Line 75: | ||
also results in unexpected behavior when the input contains quotes: | also results in unexpected behavior when the input contains quotes: | ||
- | '' | + | '' |
- | escaped and in ''''' | + | only '' |
- | E.g. if ''< | + | the quote types to be overescaped. E.g. if ''< |
- | (note the additional backslashes). | + | would be ''< |
This behavior makes ''/ | This behavior makes ''/ | ||
Line 102: | Line 102: | ||
replaced by a callback there would be no loss in functionality. | replaced by a callback there would be no loss in functionality. | ||
- | The time line for deprecation and removal is subject to discussion. | + | ===== Vote ===== |
+ | |||
+ | <doodle | ||
+ | title=" | ||
+ | * yes | ||
+ | * no | ||
+ | </ | ||
+ | |||
+ | ===== Current state ===== | ||
+ | |||
+ | The ''/ | ||
+ | be removed at some later point in time. |
rfc/remove_preg_replace_eval_modifier.txt · Last modified: 2017/09/22 13:28 by 127.0.0.1