Re: Re: CVE Request - roundcubemail

[Christian Hoffmann <hoffie () gentoo org>]

On 2008-12-15 11:32, Florian Weimer wrote:
> Nowhere in the documentation it says that "" quotes are unsafe when
> combined with a sufficiently general capture pattern.
Well yes, it would probably be better to have a big warning at this
place, because this flag is very dangerous unless used properly and all
use cases should be expressable through preg_replace_callback as well,
which is hard to use improperly from a syntax point of view, as no
evaluation of user-supplied data is ever going to happen. :)
But I would not say that PHP or its docs are wrong because of this.

Of course you can still mess up your callback function in a way which
creates issues, but this is a generic issue which might as well happen
at different places in your code.


> Do you happen to know if it's safe in all cases to use '' quotes
> around the capture reference?  For instance, how does PHP deal with
> MBCS in the replacement string?
I cannot think of a case where single quotes could be easily
circumvented somehow, but I'd never claim to be perfectly right here.
Upstream added a perfectly fine fix, they replaced the /e usage by
preg_replace_callback, so I don't see a reason why you would want to
apply a different fix.


-- 
Christian Hoffmann

Attachment: signature.asc
Description: OpenPGP digital signature