Permissive Regular ExpressionID: 625 | Date: (C)2012-05-14 (M)2022-10-10 |
Type: weakness | Status: DRAFT |
Abstraction Type: Base |
Description
The product uses a regular expression that does not
sufficiently restrict the set of allowed values.
Extended DescriptionThis effectively causes the regexp to accept substrings that match the
pattern, which produces a partial comparison to the target. In some cases,
this can lead to other weaknesses. Common errors include:not identifying the beginning and end of the target stringusing wildcards instead of acceptable character rangesothers
Applicable PlatformsLanguage: PerlLanguage: PHP
Time Of Introduction
Common Consequences
Scope | Technical Impact | Notes |
---|
Access_Control | Bypass protection
mechanism | |
Detection MethodsNone
Potential Mitigations
Phase | Strategy | Description | Effectiveness | Notes |
---|
Implementation | | When applicable, ensure that the regular expression marks beginning
and ending string patterns, such as "/^string$/" for Perl. | | |
Relationships
Related CWE | Type | View | Chain |
---|
CWE-625 ChildOf CWE-896 | Category | CWE-888 | |
Demonstrative Examples (Details)
- (Demonstrative Example Id DX-37)
Observed Examples
- CVE-2006-1895 : ".*" regexp leads to static code injection
- CVE-2002-2175 : insertion of username into regexp results in partial comparison, causing wrong database entry to be updated when one username is a substring of another.
- CVE-2006-4527 : regexp intended to verify that all characters are legal, only checks that at least one is legal, enabling file inclusion.
- CVE-2005-1949 : Regexp for IP address isn't anchored at the end, allowing appending of shell metacharacters.
- CVE-2002-2109 : Regexp isn't "anchored" to the beginning or end, which allows spoofed values that have trusted values as substrings.
- CVE-2006-6511 : regexp in .htaccess file allows access of files whose names contain certain substrings
- CVE-2006-6629 : allow load of macro files whose names contain certain substrings.
- : VIM Mailing list, March 14, 2006
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
Taxynomy | Id | Name | Fit |
---|
CERT Java Secure Coding | IDS08-J | Sanitize untrusted data passed to a regex | |
References:
- Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 8, "Character Stripping Vulnerabilities", Page
437.'. Published on 2006.