php-src

archive/php-src

Fork 0

mirror of https://github.com/php/php-src.git synced 2025-08-15 21:48:51 +02:00

Commit graph

Author SHA1 Message Date

Author	SHA1	Message	Date
Jorg Adam Sowa	73722df439	Improve preg_* functions warnings for NUL byte (#13068 ) * Improve error messages for preg_ functions * Adjusted tests and fixed formatting * Removed unnecessary strings from preg_* tests * Removed ZPP tests	2024-01-07 13:40:54 +00:00
Ilija Tovilo	9bfdfcac8f	Replace more hard-coded line numbers	2022-06-23 16:28:42 +02:00
tobil4sk	5bb3e233db	Implement #77726 : Allow null character in regex patterns In `8b3c1a3`, this was disallowed to fix #55856, which was a security issue caused by the /e modifier. The fix that was made was the "Easier fix" as described in the original report. With this fix, pattern strings are no longer treated as null terminated, so null characters can be placed inside and matched against with regex patterns without security problems, so there is no longer a reason to give the error. Allowing this is consistent with the behaviour of many other languages, including JavaScript, and thanks to PCRE2[0], it does not require manually escaping null characters. Now that we can avoid the error here without the cost of escaping characters, there is really no need anymore to stray here from the conventional behaviour. Currently, null characters are still disallowed before the first delimiter and in the options section at the end of a regex string, but these error messages have been updated. [0] Since PCRE2, pattern strings no longer have to be null terminated, and raw null characters match as normal. Closes GH-8114.	2022-06-17 19:30:44 +02:00

Jorg Adam Sowa

73722df439

Improve preg_* functions warnings for NUL byte (#13068 )

* Improve error messages for preg_ functions
* Adjusted tests and fixed formatting
* Removed unnecessary strings from preg_* tests
* Removed ZPP tests

2024-01-07 13:40:54 +00:00

Ilija Tovilo

9bfdfcac8f

Replace more hard-coded line numbers

2022-06-23 16:28:42 +02:00

tobil4sk

5bb3e233db

Implement #77726 : Allow null character in regex patterns

In 8b3c1a3, this was disallowed to fix #55856, which was a security
issue caused by the /e modifier. The fix that was made was the
"Easier fix" as described in the original report.

With this fix, pattern strings are no longer treated as null terminated,
so null characters can be placed inside and matched against with regex
patterns without security problems, so there is no longer a reason to
give the error. Allowing this is consistent with the behaviour of many
other languages, including JavaScript, and thanks to PCRE2[0], it does
not require manually escaping null characters. Now that we can avoid the
error here without the cost of escaping characters, there is really no
need anymore to stray here from the conventional behaviour.

Currently, null characters are still disallowed before the first
delimiter and in the options section at the end of a regex string, but
these error messages have been updated.

[0] Since PCRE2, pattern strings no longer have to be null terminated,
and raw null characters match as normal.

Closes GH-8114.

2022-06-17 19:30:44 +02:00

3 commits