有人可以解释/e regex修饰符吗? [英] Can someone explain the /e regex modifier?
问题描述
我目前正在提高有关HTML,PHP,JavaScript等中安全漏洞的知识.
几个小时前,我偶然发现了正则表达式中的/e
修饰符,但仍然不知道它是如何工作的.我看了一下文档,但这并没有真正的帮助.
我了解的是,可以对该修饰符进行操作,以使某人有机会执行其中的PHP代码(例如,preg_replace()
).我看过以下示例,它描述了一个安全漏洞,但是没有解释,所以有人可以解释一下如何在以下代码中调用phpinfo()
吗?
$input = htmlentities("");
if (strpos($input, 'bla'))
{
echo preg_replace("/" .$input ."/", $input ."<img src='".$input.".png'>", "bla");
}
PHP中的e
正则表达式修饰符,带有示例漏洞&替代方案
e
的功能,并带有示例...
e
修饰符是不推荐使用的正则表达式修饰符,它使您可以在正则表达式中使用PHP代码.这意味着您解析的内容都将作为程序的一部分进行评估.
例如,我们可以使用以下内容:
$input = "Bet you want a BMW.";
echo preg_replace("/([a-z]*)/e", "strtoupper('\\1')", $input);
这将输出BET YOU WANT A BMW.
没有e
修饰符,我们将得到非常不同的输出:
strtoupper('')Bstrtoupper('et')strtoupper('') strtoupper('you')strtoupper('') strtoupper('want')strtoupper('') strtoupper('a')strtoupper('') strtoupper('')Bstrtoupper('')Mstrtoupper('')Wstrtoupper('').strtoupper('')
e
...
出于安全原因,e
修饰符已不推荐使用.这是一个问题的示例,使用e
可以很容易地遇到该问题:
$password = 'secret';
...
$input = $_GET['input'];
echo preg_replace('|^(.*)$|e', '"\1"', $input);
如果我将输入提交为"$password"
,则此函数的输出将为secret
.因此,对于我来说,访问会话变量非常容易,所有变量都在后端使用,甚至可以通过这段编写拙劣的代码来对您的应用程序(eval('cat /etc/passwd');
?)进行更深层次的控制.
与类似不推荐使用的mysql
库一样,这并不意味着您不能使用e
编写不受漏洞影响的代码,只是这样做更加困难. /p>
您应该改用什么...
您应该在几乎所有情况下使用 preg_replace_callback 您会考虑使用e
修饰符的位置.在这种情况下,代码绝对不会那么简短,但是不要让它愚弄您-它的速度是它的两倍:
$input = "Bet you want a BMW.";
echo preg_replace_callback(
"/([a-z]*)/",
function($matches){
foreach($matches as $match){
return strtoupper($match);
}
},
$input
);
在性能方面,没有理由使用e
...
与
What The For example, we can use something like this: This will output Without the Potential security issues with The If I submit my input as Like the similarly deprecated What you should use instead... You should use preg_replace_callback in nearly all places you would consider using the On performance, there's no reason to use Unlike the 这篇关于有人可以解释/e regex修饰符吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!mysql
库(出于安全目的也已弃用)不同,对于大多数操作,e
的速度并不比其替代方法快.对于给定的示例,它的运行速度是它的两倍: preg_replace_callback (50,000次操作为0.14秒)与The
e
Regex Modifier in PHP with example vulnerability & alternativese
does, with an example...e
modifier is a deprecated regex modifier which allows you to use PHP code within your regular expression. This means that whatever you parse in will be evaluated as a part of your program.$input = "Bet you want a BMW.";
echo preg_replace("/([a-z]*)/e", "strtoupper('\\1')", $input);
BET YOU WANT A BMW.
e
modifier, we get this very different output:strtoupper('')Bstrtoupper('et')strtoupper('') strtoupper('you')strtoupper('') strtoupper('want')strtoupper('') strtoupper('a')strtoupper('') strtoupper('')Bstrtoupper('')Mstrtoupper('')Wstrtoupper('').strtoupper('')
e
...e
modifier is deprecated for security reasons. Here's an example of an issue you can run into very easily with e
:$password = 'secret';
...
$input = $_GET['input'];
echo preg_replace('|^(.*)$|e', '"\1"', $input);
"$password"
, the output to this function will be secret
. It's very easy, therefore, for me to access session variables, all variables being used on the back-end and even take deeper levels of control over your application (eval('cat /etc/passwd');
?) through this simple piece of poorly written code.mysql
libraries, this doesn't mean that you cannot write code which is not subject to vulnerability using e
, just that it's more difficult to do so.e
modifier. The code is definitely not as brief in this case but don't let that fool you -- it's twice as fast:$input = "Bet you want a BMW.";
echo preg_replace_callback(
"/([a-z]*)/",
function($matches){
foreach($matches as $match){
return strtoupper($match);
}
},
$input
);
e
...mysql
libraries (which were also deprecated for security purposes), e
is not quicker than its alternatives for most operations. For the example given, it's twice as slow: preg_replace_callback (0.14 sec for 50,000 operations) vs e modifier (0.32 sec for 50,000 operations)