merwetta1
asked on
preg_match code injection?
I have a little regex tool webpage I use to test regex as I'm creating it. It's been hidden on my site up until now, but I was thinking of adding a link to it. I'm wondering what the security risks are. Please take a look at the code below and let me know if/how it might potentially be abused.
I'm running PHP 4.3.10 on FreeBSD 4.8.
---------------------
<?php
echo '<html><body>';
if ($_POST['submit']) display_result();
else display_form();
?>
</body>
</html>
<?
exit;
##functions
function display_form($msg = '')
{
echo '<form action="'.$_SERVER['PHP_SE
?>
<input type="text" name="regex" value="<? echo $_POST['regex']; ?>" size="40" maxlength="100"> regex string<br />
<input type="text" name="test" value="<? echo $_POST['test']; ?>" size="20"> string to match<br />
<input type="submit" name="submit" value="Submit" />
</form>
<?
}
function display_result()
{
extract($_POST);
echo 'regex: '.$regex.'<br />';
echo 'string: '.$test.'<br />';
if (preg_match('/'.$regex.'/'
{
echo 'the string was matched as follows<br /><pre>';
print_r($matches);
echo '</pre>';
} else echo 'no match<br />';;
echo '<br />';
display_form('again?');
}
?>
I'm running PHP 4.3.10 on FreeBSD 4.8.
---------------------
<?php
echo '<html><body>';
if ($_POST['submit']) display_result();
else display_form();
?>
</body>
</html>
<?
exit;
##functions
function display_form($msg = '')
{
echo '<form action="'.$_SERVER['PHP_SE
?>
<input type="text" name="regex" value="<? echo $_POST['regex']; ?>" size="40" maxlength="100"> regex string<br />
<input type="text" name="test" value="<? echo $_POST['test']; ?>" size="20"> string to match<br />
<input type="submit" name="submit" value="Submit" />
</form>
<?
}
function display_result()
{
extract($_POST);
echo 'regex: '.$regex.'<br />';
echo 'string: '.$test.'<br />';
if (preg_match('/'.$regex.'/'
{
echo 'the string was matched as follows<br /><pre>';
print_r($matches);
echo '</pre>';
} else echo 'no match<br />';;
echo '<br />';
display_form('again?');
}
?>
merwetta1, I noticed some bugs =P
Give
" <b> something </b> "
as the expression and submit.. your page will be full of errors ! :(
Give
" <b> something </b> "
as the expression and submit.. your page will be full of errors ! :(
... you should include the quotes too in the expression
That's right, you should escape any regex specific characters like /
TeRReF, I tried that, but those function don't seem to work this time..
<?php
echo '<html><body>';
if ($_POST['submit']) display_result();
else display_form();
?>
</body>
</html>
<?
exit;
##functions
function display_form($msg = '')
{
echo '<form action="'.$_SERVER['PHP_SE
?>
<input type="text" name="regex" value="<? echo $_POST['regex']; ?>" size="40" maxlength="100"> regex string<br />
<input type="text" name="test" value="<? echo $_POST['test']; ?>" size="20"> string to match<br />
<input type="submit" name="submit" value="Submit" />
</form>
<?
}
function display_result()
{
extract($_POST);
echo 'regex: '.htmlspecialchars($regex)
echo 'string: '.htmlspecialchars($test).
if (preg_match('/'.preg_quote
{
echo 'the string was matched as follows<br /><pre>';
print_r($matches);
echo '</pre>';
} else echo 'no match<br />';;
echo '<br />';
display_form('again?');
}
?>
<?php
echo '<html><body>';
if ($_POST['submit']) display_result();
else display_form();
?>
</body>
</html>
<?
exit;
##functions
function display_form($msg = '')
{
echo '<form action="'.$_SERVER['PHP_SE
?>
<input type="text" name="regex" value="<? echo $_POST['regex']; ?>" size="40" maxlength="100"> regex string<br />
<input type="text" name="test" value="<? echo $_POST['test']; ?>" size="20"> string to match<br />
<input type="submit" name="submit" value="Submit" />
</form>
<?
}
function display_result()
{
extract($_POST);
echo 'regex: '.htmlspecialchars($regex)
echo 'string: '.htmlspecialchars($test).
if (preg_match('/'.preg_quote
{
echo 'the string was matched as follows<br /><pre>';
print_r($matches);
echo '</pre>';
} else echo 'no match<br />';;
echo '<br />';
display_form('again?');
}
?>
htmlspecialchars is not the right function for this since it will not escape / for instance.
Something like this should work:
$regex=trim($regex);
$regex = stripslashes($regex);
$regex = preg_quote ($regex, '/');
if (preg_match("/" . $regex . "/", $test, $matches )) {
print_r($matches);
}
Expect some parse errors since I'm in a hurry to leave :)
Something like this should work:
$regex=trim($regex);
$regex = stripslashes($regex);
$regex = preg_quote ($regex, '/');
if (preg_match("/" . $regex . "/", $test, $matches )) {
print_r($matches);
}
Expect some parse errors since I'm in a hurry to leave :)
ASKER
mgh_mgharish: I'm not worried about the errors caused by entering a non regex expression, as long as those errors don't cause any security concerns.
"you should include the quotes too in the expression" <-- elaborate please
TeRRef:
It seems you are saying to remove all the slashes, then add back in the necessary ones. However, that will often slash things I don't want escaped. For instance, to get the street number from an address I might test the regex "^(\d+) (.*)" against the string "123 Main St.". If I use stripslashes and preg_quote on the regex, I end up with "\^\(d\+\) \(\.\*\)", which won't work.
I am focused on the security concerns here. Can you demonstrate how running unfiltered regex through preg_match could be harmful?
"you should include the quotes too in the expression" <-- elaborate please
TeRRef:
It seems you are saying to remove all the slashes, then add back in the necessary ones. However, that will often slash things I don't want escaped. For instance, to get the street number from an address I might test the regex "^(\d+) (.*)" against the string "123 Main St.". If I use stripslashes and preg_quote on the regex, I end up with "\^\(d\+\) \(\.\*\)", which won't work.
I am focused on the security concerns here. Can you demonstrate how running unfiltered regex through preg_match could be harmful?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Not as long as you don't use eval to execute something with it ;)
However, $msg seems to be unused in display_form()
---
Harish