[phpwiki-checkins] SF.net SVN: phpwiki:[10034] trunk/lib

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Revision: 10034
          http://sourceforge.net/p/phpwiki/code/10034
Author:   vargenau
Date:     2017-10-01 19:00:39 +0000 (Sun, 01 Oct 2017)
Log Message:
-----------
Remote code execution through preg_replace() calls. Patches by Thomas Gerbet, Tuleap

Modified Paths:
--------------
    trunk/lib/ErrorManager.php
    trunk/lib/WikiTheme.php
    trunk/lib/plugin/WikiAdminRename.php
    trunk/lib/plugin/WikiAdminSearchReplace.php
    trunk/lib/stdlib.php
    trunk/lib/wikilens/Utils.php

Modified: trunk/lib/ErrorManager.php
===================================================================

--- trunk/lib/ErrorManager.php	2017-10-01 18:27:52 UTC (rev 10033)
+++ trunk/lib/ErrorManager.php	2017-10-01 19:00:39 UTC (rev 10034)
@@ -494,7 +494,7 @@
             $dir .= "\\";
         } else
             $dir .= '/';
-        $errfile = preg_replace('|^' . preg_quote($dir) . '|', '', $this->errfile);
+        $errfile = preg_replace('|^' . preg_quote($dir, '|') . '|', '', $this->errfile);
         $lines = explode("\n", $this->errstr);
         if (DEBUG & _DEBUG_VERBOSE) {
             $msg = sprintf("%s:%d %s[%d]: %s",
@@ -637,7 +637,7 @@
             $dir .= "\\";
         } else
             $dir .= '/';
-        $errfile = preg_replace('|^' . preg_quote($dir) . '|', '', $this->errfile);
+        $errfile = preg_replace('|^' . preg_quote($dir, '|') . '|', '', $this->errfile);
         if (is_string($this->errstr))
             $lines = explode("\n", $this->errstr);
         elseif (is_object($this->errstr))

Modified: trunk/lib/WikiTheme.php
===================================================================
--- trunk/lib/WikiTheme.php	2017-10-01 18:27:52 UTC (rev 10033)
+++ trunk/lib/WikiTheme.php	2017-10-01 19:00:39 UTC (rev 10034)
@@ -884,13 +884,25 @@
         $qtext = urlencode($text);
         $url = $this->_findButton("$qtext.png");
         if ($url && strstr($url, '%')) {
-            $url = preg_replace('|([^/]+)$|e', 'urlencode("\\1")', $url);
+            $url = preg_replace_callback(
+                '|([^/]+)$|',
+                 function (array $matches) {
+                     return urlencode($matches[1]);
+                 },
+                 $url
+            );
         }
         if (!$url) { // Jeff complained about png not supported everywhere.
             // This was not PC until 2005.
             $url = $this->_findButton("$qtext.gif");
             if ($url && strstr($url, '%')) {
-                $url = preg_replace('|([^/]+)$|e', 'urlencode("\\1")', $url);
+                $url = preg_replace_callback(
+                    '|([^/]+)$|',
+                     function (array $matches) {
+                         return urlencode($matches[1]);
+                     },
+                     $url
+                );
             }
         }
         if ($url and $this->DUMP_MODE) {

Modified: trunk/lib/plugin/WikiAdminRename.php
===================================================================
--- trunk/lib/plugin/WikiAdminRename.php	2017-10-01 18:27:52 UTC (rev 10033)
+++ trunk/lib/plugin/WikiAdminRename.php	2017-10-01 19:00:39 UTC (rev 10034)
@@ -56,7 +56,7 @@
     public static function renameHelper($name, $from, $to, $options = array())
     {
         if (isset($options['regex'])) {
-            return preg_replace('/' . $from . '/' . (isset($options['icase']) ? 'i' : ''), $to, $name);
+            return preg_replace('/' . str_replace('/', '\/', $from) . '/'.($options['icase']?'i':''), $to, $name);
         } elseif (isset($options['icase'])) {
             return str_ireplace($from, $to, $name);
         } else {

Modified: trunk/lib/plugin/WikiAdminSearchReplace.php
===================================================================
--- trunk/lib/plugin/WikiAdminSearchReplace.php	2017-10-01 18:27:52 UTC (rev 10033)
+++ trunk/lib/plugin/WikiAdminSearchReplace.php	2017-10-01 19:00:39 UTC (rev 10034)
@@ -167,7 +167,7 @@
             $version = $current->getVersion();
             $text = $current->getPackedContent();
             if ($regex) {
-                $newtext = preg_replace("/" . $from . "/" . ($case_exact ? '' : 'i'), $to, $text);
+                $newtext = preg_replace('/' . str_replace('/', '\/', $from) . '/' .($case_exact?'':'i'), $to, $text);
             } else {
                 if ($case_exact) {
                     $newtext = str_replace($from, $to, $text);

Modified: trunk/lib/stdlib.php
===================================================================
--- trunk/lib/stdlib.php	2017-10-01 18:27:52 UTC (rev 10033)
+++ trunk/lib/stdlib.php	2017-10-01 19:00:39 UTC (rev 10034)
@@ -1458,7 +1458,7 @@
     $glob = str_replace("/", "\\/", $glob);
     // first convert some unescaped expressions to pcre style: . => \.
     $special = '.^$';
-    $re = preg_replace('/([^\xff])?([' . preg_quote($special) . '])/',
+    $re = preg_replace('/([^\xff])?(['.preg_quote($special, '/').'])/',
         "\\1\xff\\2", $glob);
 
     // * => .*, ? => .

Modified: trunk/lib/wikilens/Utils.php
===================================================================
--- trunk/lib/wikilens/Utils.php	2017-10-01 18:27:52 UTC (rev 10033)
+++ trunk/lib/wikilens/Utils.php	2017-10-01 19:00:39 UTC (rev 10034)
@@ -41,9 +41,9 @@
     }
 
     // add new data to the appropriate line
-    if (preg_match('/^' . preg_quote($START_DELIM) . '/', $text)) {
+    if (preg_match('/^' . preg_quote($START_DELIM, '/') . '/', $text)) {
         // need multiline modifier to match EOL correctly
-        $text = preg_replace('/(^' . preg_quote($START_DELIM) . '.*)$/m',
+        $text = preg_replace('/(^' . preg_quote($START_DELIM, '/') . '.*)$/m',
             '$1' . $DELIM . $new_data, $text);
     } else {
         // handle case where the line does not yet exist

This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.



