Closed MChaban47 closed 11 months ago
Hi @MChaban47. Could you please elaborate a bit more?
@DavidePastore, look at line 120 In PHP prior 7.0, 'e' modifier will evaluate result of preg_replace as PHP code. If this '.xml' file will be handled by PHP interpreter on server (if set so) - it becomes a backdoor with remote shell possibility or any PHP function execution on remote server. I mean, I know that this is an example, but it will actually be executed on server with documentation where all files go through the PHP interpreter. You can find out more here: http://www.madirish.net/402
To be honest I'm not even sure that the code snippets that are in the example sections are executed by a PHP interpreter.
To be honest I'm not even sure that the code snippets that are in the example sections are executed by a PHP interpreter.
They are not :)
Thanks for confirming, @Girgias. I'm closing this one.
https://github.com/php/doc-it/blob/bb0149be4579d5bbc3c3ade14b1161317394453a/reference/pcre/pattern.modifiers.xml#L114