有人可以解释/e regex修饰符吗? [英] Can someone explain the /e regex modifier?
问题描述
我目前正在提高有关HTML,PHP,JavaScript等中安全漏洞的知识.
几个小时前,我偶然发现了正则表达式中的/e修饰符,但仍然不知道它是如何工作的.我看了一下文档,但这并没有真正的帮助.
我了解的是,可以对该修饰符进行操作,以使某人有机会执行其中的PHP代码(例如,preg_replace()).我看过以下示例,它描述了一个安全漏洞,但是没有解释,所以有人可以解释一下如何在以下代码中调用phpinfo()吗?
$input = htmlentities("");
if (strpos($input, 'bla'))
{
echo preg_replace("/" .$input ."/", $input ."<img src='".$input.".png'>", "bla");
}
PHP中的e正则表达式修饰符,带有示例漏洞&替代方案
e的功能,并带有示例...
e修饰符是不推荐使用的正则表达式修饰符,它使您可以在正则表达式中使用PHP代码.这意味着您解析的内容都将作为程序的一部分进行评估.
例如,我们可以使用以下内容:
$input = "Bet you want a BMW.";
echo preg_replace("/([a-z]*)/e", "strtoupper('\\1')", $input);
这将输出BET YOU WANT A BMW.
没有e修饰符,我们将得到非常不同的输出:
strtoupper('')Bstrtoupper('et')strtoupper('') strtoupper('you')strtoupper('') strtoupper('want')strtoupper('') strtoupper('a')strtoupper('') strtoupper('')Bstrtoupper('')Mstrtoupper('')Wstrtoupper('').strtoupper('')
e ...
出于安全原因,e修饰符已不推荐使用.这是一个问题的示例,使用e可以很容易地遇到该问题:
$password = 'secret';
...
$input = $_GET['input'];
echo preg_replace('|^(.*)$|e', '"\1"', $input);
如果我将输入提交为"$password",则此函数的输出将为secret.因此,对于我来说,访问会话变量非常容易,所有变量都在后端使用,甚至可以通过这段编写拙劣的代码来对您的应用程序(eval('cat /etc/passwd');?)进行更深层次的控制.
与类似不推荐使用的mysql库一样,这并不意味着您不能使用e编写不受漏洞影响的代码,只是这样做更加困难. /p>
您应该改用什么...
您应该在几乎所有情况下使用 preg_replace_callback 您会考虑使用e修饰符的位置.在这种情况下,代码绝对不会那么简短,但是不要让它愚弄您-它的速度是它的两倍:
$input = "Bet you want a BMW.";
echo preg_replace_callback(
"/([a-z]*)/",
function($matches){
foreach($matches as $match){
return strtoupper($match);
}
},
$input
);
在性能方面,没有理由使用e ...
与
What The For example, we can use something like this: This will output Without the Potential security issues with The If I submit my input as Like the similarly deprecated What you should use instead... You should use preg_replace_callback in nearly all places you would consider using the On performance, there's no reason to use Unlike the 这篇关于有人可以解释/e regex修饰符吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!mysql库(出于安全目的也已弃用)不同,对于大多数操作,e的速度并不比其替代方法快.对于给定的示例,它的运行速度是它的两倍: preg_replace_callback (50,000次操作为0.14秒)与The
e Regex Modifier in PHP with example vulnerability & alternativese does, with an example...e modifier is a deprecated regex modifier which allows you to use PHP code within your regular expression. This means that whatever you parse in will be evaluated as a part of your program.$input = "Bet you want a BMW.";
echo preg_replace("/([a-z]*)/e", "strtoupper('\\1')", $input);
BET YOU WANT A BMW.e modifier, we get this very different output:strtoupper('')Bstrtoupper('et')strtoupper('') strtoupper('you')strtoupper('') strtoupper('want')strtoupper('') strtoupper('a')strtoupper('') strtoupper('')Bstrtoupper('')Mstrtoupper('')Wstrtoupper('').strtoupper('')
e...e modifier is deprecated for security reasons. Here's an example of an issue you can run into very easily with e:$password = 'secret';
...
$input = $_GET['input'];
echo preg_replace('|^(.*)$|e', '"\1"', $input);
"$password", the output to this function will be secret. It's very easy, therefore, for me to access session variables, all variables being used on the back-end and even take deeper levels of control over your application (eval('cat /etc/passwd');?) through this simple piece of poorly written code.mysql libraries, this doesn't mean that you cannot write code which is not subject to vulnerability using e, just that it's more difficult to do so.e modifier. The code is definitely not as brief in this case but don't let that fool you -- it's twice as fast:$input = "Bet you want a BMW.";
echo preg_replace_callback(
"/([a-z]*)/",
function($matches){
foreach($matches as $match){
return strtoupper($match);
}
},
$input
);
e...mysql libraries (which were also deprecated for security purposes), e is not quicker than its alternatives for most operations. For the example given, it's twice as slow: preg_replace_callback (0.14 sec for 50,000 operations) vs e modifier (0.32 sec for 50,000 operations)
