PHP Class Psecio\Parse\Rule\PregReplaceWithEvalModifier
With the
e modifier set
preg_replace() does normal substitution of
backreferences in the replacement string, evaluates it as PHP code, and
uses the result for replacing the search string.
This modifier is deprecated as of PHP
5.5 and use is highly discouraged
as it can easily introduce security vulnerabilites.
Example of failing code
The following code can be easily exploited by passing in a string such as
{${eval($_GET[php_code])}}
. This gives the attacker the ability
to execute arbitrary PHP code and as such gives him nearly complete access
to your server.
$html = preg_replace(
'((.*?))e',
'"" . strtoupper("$2") . ""',
$_POST['html']
);
How to fix?
Use the
preg_replace_callback() function instead.
$html = preg_replace_callback(
'((.*?))',
function ($m) {
return "" . strtoupper($m[2]) . "";
},
$_POST['html']
);
Show file
Open project: psecio/parse
Public Methods
Method |
Description |
|
isValid ( PhpParser\Node $node ) |
|
|
Method Details
public isValid ( PhpParser\Node $node ) |
$node |
PhpParser\Node |
|