From: <var...@us...> - 2017-10-01 19:00:42
|
Revision: 10034 http://sourceforge.net/p/phpwiki/code/10034 Author: vargenau Date: 2017-10-01 19:00:39 +0000 (Sun, 01 Oct 2017) Log Message: ----------- Remote code execution through preg_replace() calls. Patches by Thomas Gerbet, Tuleap Modified Paths: -------------- trunk/lib/ErrorManager.php trunk/lib/WikiTheme.php trunk/lib/plugin/WikiAdminRename.php trunk/lib/plugin/WikiAdminSearchReplace.php trunk/lib/stdlib.php trunk/lib/wikilens/Utils.php Modified: trunk/lib/ErrorManager.php =================================================================== --- trunk/lib/ErrorManager.php 2017-10-01 18:27:52 UTC (rev 10033) +++ trunk/lib/ErrorManager.php 2017-10-01 19:00:39 UTC (rev 10034) @@ -494,7 +494,7 @@ $dir .= "\\"; } else $dir .= '/'; - $errfile = preg_replace('|^' . preg_quote($dir) . '|', '', $this->errfile); + $errfile = preg_replace('|^' . preg_quote($dir, '|') . '|', '', $this->errfile); $lines = explode("\n", $this->errstr); if (DEBUG & _DEBUG_VERBOSE) { $msg = sprintf("%s:%d %s[%d]: %s", @@ -637,7 +637,7 @@ $dir .= "\\"; } else $dir .= '/'; - $errfile = preg_replace('|^' . preg_quote($dir) . '|', '', $this->errfile); + $errfile = preg_replace('|^' . preg_quote($dir, '|') . '|', '', $this->errfile); if (is_string($this->errstr)) $lines = explode("\n", $this->errstr); elseif (is_object($this->errstr)) Modified: trunk/lib/WikiTheme.php =================================================================== --- trunk/lib/WikiTheme.php 2017-10-01 18:27:52 UTC (rev 10033) +++ trunk/lib/WikiTheme.php 2017-10-01 19:00:39 UTC (rev 10034) @@ -884,13 +884,25 @@ $qtext = urlencode($text); $url = $this->_findButton("$qtext.png"); if ($url && strstr($url, '%')) { - $url = preg_replace('|([^/]+)$|e', 'urlencode("\\1")', $url); + $url = preg_replace_callback( + '|([^/]+)$|', + function (array $matches) { + return urlencode($matches[1]); + }, + $url + ); } if (!$url) { // Jeff complained about png not supported everywhere. // This was not PC until 2005. $url = $this->_findButton("$qtext.gif"); if ($url && strstr($url, '%')) { - $url = preg_replace('|([^/]+)$|e', 'urlencode("\\1")', $url); + $url = preg_replace_callback( + '|([^/]+)$|', + function (array $matches) { + return urlencode($matches[1]); + }, + $url + ); } } if ($url and $this->DUMP_MODE) { Modified: trunk/lib/plugin/WikiAdminRename.php =================================================================== --- trunk/lib/plugin/WikiAdminRename.php 2017-10-01 18:27:52 UTC (rev 10033) +++ trunk/lib/plugin/WikiAdminRename.php 2017-10-01 19:00:39 UTC (rev 10034) @@ -56,7 +56,7 @@ public static function renameHelper($name, $from, $to, $options = array()) { if (isset($options['regex'])) { - return preg_replace('/' . $from . '/' . (isset($options['icase']) ? 'i' : ''), $to, $name); + return preg_replace('/' . str_replace('/', '\/', $from) . '/'.($options['icase']?'i':''), $to, $name); } elseif (isset($options['icase'])) { return str_ireplace($from, $to, $name); } else { Modified: trunk/lib/plugin/WikiAdminSearchReplace.php =================================================================== --- trunk/lib/plugin/WikiAdminSearchReplace.php 2017-10-01 18:27:52 UTC (rev 10033) +++ trunk/lib/plugin/WikiAdminSearchReplace.php 2017-10-01 19:00:39 UTC (rev 10034) @@ -167,7 +167,7 @@ $version = $current->getVersion(); $text = $current->getPackedContent(); if ($regex) { - $newtext = preg_replace("/" . $from . "/" . ($case_exact ? '' : 'i'), $to, $text); + $newtext = preg_replace('/' . str_replace('/', '\/', $from) . '/' .($case_exact?'':'i'), $to, $text); } else { if ($case_exact) { $newtext = str_replace($from, $to, $text); Modified: trunk/lib/stdlib.php =================================================================== --- trunk/lib/stdlib.php 2017-10-01 18:27:52 UTC (rev 10033) +++ trunk/lib/stdlib.php 2017-10-01 19:00:39 UTC (rev 10034) @@ -1458,7 +1458,7 @@ $glob = str_replace("/", "\\/", $glob); // first convert some unescaped expressions to pcre style: . => \. $special = '.^$'; - $re = preg_replace('/([^\xff])?([' . preg_quote($special) . '])/', + $re = preg_replace('/([^\xff])?(['.preg_quote($special, '/').'])/', "\\1\xff\\2", $glob); // * => .*, ? => . Modified: trunk/lib/wikilens/Utils.php =================================================================== --- trunk/lib/wikilens/Utils.php 2017-10-01 18:27:52 UTC (rev 10033) +++ trunk/lib/wikilens/Utils.php 2017-10-01 19:00:39 UTC (rev 10034) @@ -41,9 +41,9 @@ } // add new data to the appropriate line - if (preg_match('/^' . preg_quote($START_DELIM) . '/', $text)) { + if (preg_match('/^' . preg_quote($START_DELIM, '/') . '/', $text)) { // need multiline modifier to match EOL correctly - $text = preg_replace('/(^' . preg_quote($START_DELIM) . '.*)$/m', + $text = preg_replace('/(^' . preg_quote($START_DELIM, '/') . '.*)$/m', '$1' . $DELIM . $new_data, $text); } else { // handle case where the line does not yet exist This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |