Date: Mon, 15 Dec 2008 23:52:44 +0100 From: Christian Hoffmann <hoffie@...too.org> To: oss-security@...ts.openwall.com CC: jlieskov@...hat.com, Raphael Geissert <atomo64+debian@...il.com> Subject: Re: Re: CVE Request - roundcubemail On 2008-12-15 11:32, Florian Weimer wrote: > Nowhere in the documentation it says that "" quotes are unsafe when > combined with a sufficiently general capture pattern. Well yes, it would probably be better to have a big warning at this place, because this flag is very dangerous unless used properly and all use cases should be expressable through preg_replace_callback as well, which is hard to use improperly from a syntax point of view, as no evaluation of user-supplied data is ever going to happen. :) But I would not say that PHP or its docs are wrong because of this. Of course you can still mess up your callback function in a way which creates issues, but this is a generic issue which might as well happen at different places in your code. > Do you happen to know if it's safe in all cases to use '' quotes > around the capture reference? For instance, how does PHP deal with > MBCS in the replacement string? I cannot think of a case where single quotes could be easily circumvented somehow, but I'd never claim to be perfectly right here. Upstream added a perfectly fine fix, they replaced the /e usage by preg_replace_callback, so I don't see a reason why you would want to apply a different fix. -- Christian Hoffmann Download attachment "signature.asc" of type "application/pgp-signature" (261 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.