https://bugs.php.net/bug.php?id=74066
I've only just stated using the extension, but I'd have thought that the following would have raised warnings.
Test script:
<?php
$tainted = '1-Evil';
taint($tainted);
preg_match('/^1-(.*)/', $tainted, $matches);
echo $matches[1] . "\n";
echo str_ireplace('1-', '2-', $tainted) . "\n";
echo preg_replace('/^1-/', '2-', $tainted) . "\n";
?>
Expected result:
Warning: main() [echo]: Attempt to echo a string that might be tainted in
./index.php on line
8
1-Evil
Warning: main() [echo]: Attempt to echo a string that might be tainted in
./index.php on line
9
2-Evil
Warning: main() [echo]: Attempt to echo a string that might be tainted in
./index.php on line
10
2-Evil
Actual result:
Evil
2-Evil
2-Evil
https://bugs.php.net/bug.php?id=74066
I've only just stated using the extension, but I'd have thought that the following would have raised warnings.
Test script:
Expected result:
Warning: main() [echo]: Attempt to echo a string that might be tainted in ./index.php on line 8
1-Evil
Warning: main() [echo]: Attempt to echo a string that might be tainted in ./index.php on line 9
2-Evil
Warning: main() [echo]: Attempt to echo a string that might be tainted in ./index.php on line 10
2-Evil
Actual result:
Evil
2-Evil
2-Evil