Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-11606

make_clickable() in includes/functions_content.php uses deprecated preg_replace() /e modifier (PREG_REPLACE_EVAL)

    Details

    • Type: Improvement
    • Status: Unverified Fix
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 3.0.11, 3.1.0-dev
    • Fix Version/s: 3.1.0-a1
    • Component/s: Posting
    • Labels:
      None
    • Environment:
      PHP 5.4.15, MySQL 5.5.31, Google Chrome 27.0.1453.110

      Description

      make_clickable() in includes/functions_content.php uses deprecated preg_replace() /e modifier (PREG_REPLACE_EVAL)
      see http://www.php.net/manual/en/reference.pcre.pattern.modifiers.php

        Issue Links

          Activity

          Hide
          fredsa fredsa [X] (Inactive) added a comment -
          Show
          fredsa fredsa [X] (Inactive) added a comment - Pull request https://github.com/phpbb/phpbb3/pull/1479
          Hide
          nickvergessen Joas Schilling added a comment -

          I think it should go into olympus?

          Show
          nickvergessen Joas Schilling added a comment - I think it should go into olympus?
          Hide
          bantu Andreas Fischer added a comment -

          Why?

          Show
          bantu Andreas Fischer added a comment - Why?
          Hide
          nickvergessen Joas Schilling added a comment -

          okay its 5.5 3.1 then

          Show
          nickvergessen Joas Schilling added a comment - okay its 5.5 3.1 then
          Hide
          bantu Andreas Fischer added a comment -

          It's deprecated in PHP 5.5 and deprecated is not the same as removed.

          Show
          bantu Andreas Fischer added a comment - It's deprecated in PHP 5.5 and deprecated is not the same as removed.
          Hide
          AmigoJack AmigoJack added a comment -

          It is deprecated because it's a security threat:

          $_POST['html']= '<h1>{${eval($_GET[php_code])}}</h1>';  // Malicious input, being called with .php?php_code=system('rm -rf')
           
          // uppercase headings
          $html= preg_replace
          ( '(<h([1-6])>(.*?)</h\1>)e'
          , '"<h$1>". strtoupper("$2"). "</h$1>"'
          , $_POST['html']
          );

          And I doubt one can easily sanitize the input. That's why all modificator e usages for preg_replace() in phpBB should be replaced with preg_replace_callback().

          Show
          AmigoJack AmigoJack added a comment - It is deprecated because it's a security threat : $_POST['html']= '<h1>{${eval($_GET[php_code])}}</h1>'; // Malicious input, being called with .php?php_code=system('rm -rf')   // uppercase headings $html= preg_replace ( '(<h([1-6])>(.*?)</h\1>)e' , '"<h$1>". strtoupper("$2"). "</h$1>"' , $_POST['html'] ); And I doubt one can easily sanitize the input. That's why all modificator e usages for preg_replace() in phpBB should be replaced with preg_replace_callback() .

            People

            • Assignee:
              bantu Andreas Fischer
              Reporter:
              fredsa fredsa [X] (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development