search

laruence / taint

Taint is a PHP extension, used for detecting XSS codes
Other
611 stars 128 forks source link

Expanding list of functions that spread the tainted mark #43

Open craigfrancis opened 7 years ago

craigfrancis commented 7 years ago

https://bugs.php.net/bug.php?id=74066

I've only just stated using the extension, but I'd have thought that the following would have raised warnings.

Test script:

<?php

$tainted = '1-Evil';
taint($tainted);

preg_match('/^1-(.*)/', $tainted, $matches);

echo $matches[1] . "\n";
echo str_ireplace('1-', '2-', $tainted) . "\n";
echo preg_replace('/^1-/', '2-', $tainted) . "\n";

?>

Expected result:


Warning: main() [echo]: Attempt to echo a string that might be tainted in ./index.php on line 8
1-Evil
Warning: main() [echo]: Attempt to echo a string that might be tainted in ./index.php on line 9
2-Evil
Warning: main() [echo]: Attempt to echo a string that might be tainted in ./index.php on line 10
2-Evil

Actual result:

Evil 2-Evil 2-Evil