preg_match /D modifier

Created on 28 November 2011, over 13 years ago

Updated 24 June 2023, almost 2 years ago

From the security team list where this issue was discussed:

Hi,

After I read the story on devzone.zend.com[1], I searched Drupal's core
files to find an exploitable usage but I couldn't. But this doesn't mean
that we shouldn't fix it.

Erdem Kose

[1] http://devzone.zend.com/node/view/id/1893

Bart Jansens wrote:
> Hi,
>
> I recently came across an issue in another project due to the fact that
> they forgot to use /D in their regular expressions that were used to
> validate input.
>
> I noticed that these issues exist in drupal as well. For example:
>
> valid_email_address("bart at motd.be\n") == TRUE
>
> As long as no /D modifier is used, $ in regular expressions matches the
> end of the line or a newline before the end of the line.
>
> Whether or not this is exploitable really depends on how the code that
> uses these functions, deals with such input. But it might be worth
> fixing this and looking for similar issues in drupal core.
>
>
> Bart
>

You can read these articles to learn more about /D modifier.
http://devzone.zend.com/node/view/id/1893
http://blog.php-security.org/archives/76-Holes-in-most-preg_match-filter...

See also this PDF of the entire discussion (sorry, I don't know an easier way to move conversations wholesale into a Drupal node)

📌 Task

Status

Postponed: needs info

Version

9.5

Component

Base →

Last updated 1 day ago

Maintained by
🇺🇸United States @effulgentsia
🇬🇧United Kingdom @catch
🇬🇧United Kingdom @alexpott
🇦🇺Australia @larowlan
🇺🇸United States @bnjmnm
🇫🇷France @nod_
🇪🇸Spain @ckrina
🇬🇧United Kingdom @justafish

Created by

🇨🇦Canada webchick Vancouver 🇨🇦

Live updates comments and jobs are added and updated live.

Security improvements
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment almost 2 years ago →
🇺🇸United States smustgrave
Wonder if this is still a needed task after 12 years?
Status changed to Closed: outdated about 1 month ago2:26pm 5 May 2025
Comment about 1 month ago →
🇺🇸United States smustgrave
Closing this one out as if this were captured in stale-issue-cleanup, it would hit the criteria, if still a valid task though we can always re-open

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024