PHP 클래스 Psecio\Parse\Rule\PregReplaceWithEvalModifier
With the
e modifier set
preg_replace() does normal substitution of
backreferences in the replacement string, evaluates it as PHP code, and
uses the result for replacing the search string.
This modifier is deprecated as of PHP
5.5 and use is highly discouraged
as it can easily introduce security vulnerabilites.
Example of failing code
The following code can be easily exploited by passing in a string such as
{${eval($_GET[php_code])}}
. This gives the attacker the ability
to execute arbitrary PHP code and as such gives him nearly complete access
to your server.
$html = preg_replace(
'((.*?))e',
'"" . strtoupper("$2") . ""',
$_POST['html']
);
How to fix?
Use the
preg_replace_callback() function instead.
$html = preg_replace_callback(
'((.*?))',
function ($m) {
return "" . strtoupper($m[2]) . "";
},
$_POST['html']
);
파일 보기
프로젝트 열기: psecio/parse
공개 메소드들
메소드 |
설명 |
|
isValid ( PhpParser\Node $node ) |
|
|
메소드 상세
public isValid ( PhpParser\Node $node ) |
$node |
PhpParser\Node |
|