2015-12-11 14:42:00
原创 2395
将ecstore的程序放入到PHP7下发现他竟然不能够显示界面,通过var_dump发现是模板处理机制的问题。于是定位清晰,最终在`/app/base/lib/component/compiler.php`第77行发现`$file_contents = preg_replace("!{$ldq}\*.*?\*{$rdq}!seu",'',$file_contents);` 经过这一句正则替换后,整个文件内容变为空了。于是开始查看原因最终发现是preg_replace在PHP5.5后抛弃了`e`修饰符,php.net中是这样描述的> `e` (`PREG_REPLACE_E V A L`)> >Warning 本特性已自 PHP 5.5.0 起废弃。强烈建议不要使用本特性。> 如果设置了这个被弃用的修饰符, preg_replace() 在进行了对替换字符串的 后向引用替换之后, 将替换后的字符串作为 php 代码评估执行(e v a l 函数方式),并使用执行结果 作为实际参与替换的字符串。单引号、双引号、反斜线(\)和 NULL 字符在 后向引用替换时会被用反斜线转义. > >Caution The addslashes() function is run on each matched backreference before the substitution takes place. As such, when the backreference is used as a quoted string, escaped characters will be converted to literals. However, characters which are escaped, which would normally not be converted, will retain their slashes. This makes use of this modifier very complicated.> >`Caution` 请确保 replacement 参数由合法 php 代码字符串组成,否则 php 将会 在preg_replace() 调用的行上产生一个解释错误。> >`Caution` Use of this modifier is discouraged, as it can easily introduce security vulnerabilites:> ``` (.*?) )e', '" " . strtoupper("$2") . " "', $html);```> The above example code can be easily exploited by passing in a string such as `

{${e v a l($_GET[php_code])}}

`. This gives the attacker the ability to e x e cute arbitrary PHP code and as such gives him nearly complete access to your server.To prevent this kind of remote code e x e cution vulnerability the preg_replace_callback() function should be used instead:``` (.*?) )', function ($m) { return " " . strtoupper($m[2]) . " "; }, $html);```> Note: 仅 preg_replace() 使用此修饰符,其他 PCRE 函数忽略此修饰符。由此可见,是因为这个修饰符`e`的问题,将这个`e`修饰符去掉即可。
拾 加 陆 =