Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 15 Dec 2008 23:52:44 +0100
From: Christian Hoffmann <hoffie@...too.org>
To: oss-security@...ts.openwall.com
CC: jlieskov@...hat.com, Raphael Geissert <atomo64+debian@...il.com>
Subject: Re:  Re: CVE Request - roundcubemail

On 2008-12-15 11:32, Florian Weimer wrote:
> Nowhere in the documentation it says that "" quotes are unsafe when
> combined with a sufficiently general capture pattern.
Well yes, it would probably be better to have a big warning at this
place, because this flag is very dangerous unless used properly and all
use cases should be expressable through preg_replace_callback as well,
which is hard to use improperly from a syntax point of view, as no
evaluation of user-supplied data is ever going to happen. :)
But I would not say that PHP or its docs are wrong because of this.

Of course you can still mess up your callback function in a way which
creates issues, but this is a generic issue which might as well happen
at different places in your code.


> Do you happen to know if it's safe in all cases to use '' quotes
> around the capture reference?  For instance, how does PHP deal with
> MBCS in the replacement string?
I cannot think of a case where single quotes could be easily
circumvented somehow, but I'd never claim to be perfectly right here.
Upstream added a perfectly fine fix, they replaced the /e usage by
preg_replace_callback, so I don't see a reason why you would want to
apply a different fix.


-- 
Christian Hoffmann


Download attachment "signature.asc" of type "application/pgp-signature" (261 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.