Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Expanding list of functions that spread the tainted mark #43

Open
craigfrancis opened this issue Feb 9, 2017 · 0 comments
Open

Expanding list of functions that spread the tainted mark #43

craigfrancis opened this issue Feb 9, 2017 · 0 comments

Comments

@craigfrancis
Copy link
Contributor

craigfrancis commented Feb 9, 2017
edited
Loading

https://bugs.php.net/bug.php?id=74066

I've only just stated using the extension, but I'd have thought that the following would have raised warnings.

Test script:

<?php

$tainted = '1-Evil';
taint($tainted);

preg_match('/^1-(.*)/', $tainted, $matches);

echo $matches[1] . "\n";
echo str_ireplace('1-', '2-', $tainted) . "\n";
echo preg_replace('/^1-/', '2-', $tainted) . "\n";

?>

Expected result:


Warning: main() [echo]: Attempt to echo a string that might be tainted in ./index.php on line 8
1-Evil
Warning: main() [echo]: Attempt to echo a string that might be tainted in ./index.php on line 9
2-Evil
Warning: main() [echo]: Attempt to echo a string that might be tainted in ./index.php on line 10
2-Evil

Actual result:

Evil
2-Evil
2-Evil
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@craigfrancis