[wp-trac] [WordPress Trac] #8689: preg_replace with /e forbidden
with Suhosin patch
WordPress Trac
wp-trac at lists.automattic.com
Sat Dec 20 22:35:06 GMT 2008
#8689: preg_replace with /e forbidden with Suhosin patch
--------------------------+-------------------------------------------------
Reporter: BenBE | Owner: ryan
Type: defect (bug) | Status: new
Priority: high | Milestone: 2.7.1
Component: Security | Version: 2.7
Severity: major | Keywords: Suhosin
--------------------------+-------------------------------------------------
When a server runs the Suhosin Patch one option allows web administrators
to enable certain security-related functionality like disabling remote URL
inclusion or disabling certain functions like eval with much better
granularity. One of this options you can choose from is to disable the /e
modifier of the preg_replace command as this modifier allows for arbitary
code to get executed.
If this option is enabled parts of WordPress stop working. So you either
can patch all those locations by hand every time you need to update your
WordPress blog or stop using WordPress or kindly ask the developers to
cease using preg_replace with /e modifier and instead switch to using
preg_replace_callback which in return provides you with much more
flexibility.
Affected locations in WordPress 2.7 (DE version) are:
{{{
File wordpress\wp-admin\import\blogger.php
553 $post_content = preg_replace('|<(/?[A-Z]+)|e',
"'<' . strtolower('$1')", $post_content);
606 $comment_content = preg_replace('|<(/?[A-Z]+)|e',
"'<' . strtolower('$1')", $comment_content);
File wordpress\wp-admin\import\blogware.php
92 $post_content =
preg_replace('|<(/?[A-Z]+)|e', "'<' . strtolower('$1')", $post_content);
132 $comment_content =
preg_replace('|<(/?[A-Z]+)|e', "'<' . strtolower('$1')",
$comment_content);
File wordpress\wp-admin\import\livejournal.php
73 $post_content =
preg_replace('|<(/?[A-Z]+)|e', "'<' . strtolower('$1')", $post_content);
109 $comment_content =
preg_replace('|<(/?[A-Z]+)|e', "'<' . strtolower('$1')",
$comment_content);
File wordpress\wp-admin\import\rss.php
106 $post_content =
preg_replace('|<(/?[A-Z]+)|e', "'<' . strtolower('$1')", $post_content);
File wordpress\wp-admin\import\wordpress.php
384 $post_excerpt = preg_replace('|<(/?[A-Z]+)|e',
"'<' . strtolower('$1')", $post_excerpt);
389 $post_content = preg_replace('|<(/?[A-Z]+)|e',
"'<' . strtolower('$1')", $post_content);
File wordpress\wp-content\plugins\ajaxd-wordpress\control\aWP-admin.php
55 $options =
preg_replace('!s:(\d+):"(.*?)";!e', "'s:'.strlen('$2').':\"$2\";'",
$options );
File wordpress\wp-includes\class-phpmailer.php
1423 $encoded =
preg_replace('/([\000-\011\013\014\016-\037\075\077\137\177-\377])/e',
File wordpress\wp-includes\formatting.php
1151 $subject = preg_replace('#\=([0-9a-f]{2})#ei',
"chr(hexdec(strtolower('$1')))", $subject);
File wordpress\wp-includes\kses.php
397 return
preg_replace('%((<!--.*?(-->|$))|(<[^>]*(>|$)|>))%e',
1002 $string = preg_replace('/&#([0-9]+);/e', 'chr("\\1")',
$string);
1003 $string = preg_replace('/&#[Xx]([0-9A-Fa-f]+);/e',
'chr(hexdec("\\1"))', $string);
File wordpress\wp-includes\post-template.php
226 $output =
preg_replace('/\%u([0-9A-F]{4,4})/e',
"'&#'.base_convert('\\1',16,10).';'", $output);
File wordpress\wp-
includes\js\tinymce\plugins\spellchecker\classes\GoogleSpell.php
109 $string = preg_replace('~&#x([0-9a-f]+);~ei',
'chr(hexdec("\\1"))', $string);
110 $string = preg_replace('~&#([0-9]+);~e',
'chr(\\1)', $string);
}}}
In order to quickly find the places where such a call is present, you can
use the following regular expression:
{{{
/preg_replace\s*\(\s*'(.).+?\1[^']*?e[^']*'/
}}}
--
Ticket URL: <http://trac.wordpress.org/ticket/8689>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list