[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list]
Date: Mon, 15 Dec 2008 23:52:44 +0100
From: Christian Hoffmann <hoffie@...too.org>
To: oss-security@...ts.openwall.com
CC: jlieskov@...hat.com, Raphael Geissert <atomo64+debian@...il.com>
Subject: Re: Re: CVE Request - roundcubemail
On 2008-12-15 11:32, Florian Weimer wrote:
> Nowhere in the documentation it says that "" quotes are unsafe when
> combined with a sufficiently general capture pattern.
Well yes, it would probably be better to have a big warning at this
place, because this flag is very dangerous unless used properly and all
use cases should be expressable through preg_replace_callback as well,
which is hard to use improperly from a syntax point of view, as no
evaluation of user-supplied data is ever going to happen. :)
But I would not say that PHP or its docs are wrong because of this.
Of course you can still mess up your callback function in a way which
creates issues, but this is a generic issue which might as well happen
at different places in your code.
> Do you happen to know if it's safe in all cases to use '' quotes
> around the capture reference? For instance, how does PHP deal with
> MBCS in the replacement string?
I cannot think of a case where single quotes could be easily
circumvented somehow, but I'd never claim to be perfectly right here.
Upstream added a perfectly fine fix, they replaced the /e usage by
preg_replace_callback, so I don't see a reason why you would want to
apply a different fix.
--
Christian Hoffmann
[ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Hosted by DataForce ISP -
Powered by Openwall GNU/*/Linux