[wp-trac] [WordPress Trac] #8689: preg_replace with /e forbidden with Suhosin patch

WordPress Trac wp-trac at lists.automattic.com
Sat Dec 20 22:35:06 GMT 2008

#8689: preg_replace with /e forbidden with Suhosin patch
 Reporter:  BenBE         |       Owner:  ryan   
     Type:  defect (bug)  |      Status:  new    
 Priority:  high          |   Milestone:  2.7.1  
Component:  Security      |     Version:  2.7    
 Severity:  major         |    Keywords:  Suhosin
 When a server runs the Suhosin Patch one option allows web administrators
 to enable certain security-related functionality like disabling remote URL
 inclusion or disabling certain functions like eval with much better
 granularity. One of this options you can choose from is to disable the /e
 modifier of the preg_replace command as this modifier allows for arbitary
 code to get executed.

 If this option is enabled parts of WordPress stop working. So you either
 can patch all those locations by hand every time you need to update your
 WordPress blog or stop using WordPress or kindly ask the developers to
 cease using preg_replace with /e modifier and instead switch to using
 preg_replace_callback which in return provides you with much more

 Affected locations in WordPress 2.7 (DE version) are:
 File wordpress\wp-admin\import\blogger.php
      553                $post_content = preg_replace('|<(/?[A-Z]+)|e',
 "'<' . strtolower('$1')", $post_content);
      606                $comment_content = preg_replace('|<(/?[A-Z]+)|e',
 "'<' . strtolower('$1')", $comment_content);
 File wordpress\wp-admin\import\blogware.php
       92                        $post_content =
 preg_replace('|<(/?[A-Z]+)|e', "'<' . strtolower('$1')", $post_content);
      132                                        $comment_content =
 preg_replace('|<(/?[A-Z]+)|e', "'<' . strtolower('$1')",
 File wordpress\wp-admin\import\livejournal.php
       73                        $post_content =
 preg_replace('|<(/?[A-Z]+)|e', "'<' . strtolower('$1')", $post_content);
      109                                        $comment_content =
 preg_replace('|<(/?[A-Z]+)|e', "'<' . strtolower('$1')",
 File wordpress\wp-admin\import\rss.php
      106                        $post_content =
 preg_replace('|<(/?[A-Z]+)|e', "'<' . strtolower('$1')", $post_content);
 File wordpress\wp-admin\import\wordpress.php
      384                $post_excerpt = preg_replace('|<(/?[A-Z]+)|e',
 "'<' . strtolower('$1')", $post_excerpt);
      389                $post_content = preg_replace('|<(/?[A-Z]+)|e',
 "'<' . strtolower('$1')", $post_content);
 File wordpress\wp-content\plugins\ajaxd-wordpress\control\aWP-admin.php
       55                        $options =
 preg_replace('!s:(\d+):"(.*?)";!e', "'s:'.strlen('$2').':\"$2\";'",
 $options );
 File wordpress\wp-includes\class-phpmailer.php
     1423          $encoded =
 File wordpress\wp-includes\formatting.php
     1151                $subject = preg_replace('#\=([0-9a-f]{2})#ei',
 "chr(hexdec(strtolower('$1')))", $subject);
 File wordpress\wp-includes\kses.php
      397        return
     1002        $string = preg_replace('/&#([0-9]+);/e', 'chr("\\1")',
     1003        $string = preg_replace('/&#[Xx]([0-9A-Fa-f]+);/e',
 'chr(hexdec("\\1"))', $string);
 File wordpress\wp-includes\post-template.php
      226                $output =
 "'&#'.base_convert('\\1',16,10).';'", $output);
 File wordpress\wp-
      109                $string = preg_replace('~&#x([0-9a-f]+);~ei',
 'chr(hexdec("\\1"))', $string);
      110                $string = preg_replace('~&#([0-9]+);~e',
 'chr(\\1)', $string);

 In order to quickly find the places where such a call is present, you can
 use the following regular expression:

Ticket URL: <http://trac.wordpress.org/ticket/8689>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list