Permissive Regular Expression
|ID: 625||Date: (C)2012-05-14 (M)2012-11-08|
|Type: weakness||Status: DRAFT|
|Abstraction Type: Base|
The product uses a regular expression that does not
sufficiently restrict the set of allowed values.
Extended DescriptionThis effectively causes the regexp to accept substrings that match the
pattern, which produces a partial comparison to the target. In some cases,
this can lead to other weaknesses. Common errors include:not identifying the beginning and end of the target stringusing wildcards instead of acceptable character rangesothers
Applicable PlatformsLanguage: PerlLanguage: PHP
Time Of Introduction
|Access_Control ||Bypass protection
mechanism || |
|Implementation || ||When applicable, ensure that the regular expression marks beginning
and ending string patterns, such as "/^string$/" for Perl. || || |
|CWE-625 ChildOf CWE-896 ||Category ||CWE-888 || |
Demonstrative Examples (Details)
- (Demonstrative Example Id DX-37)
- CVE-2006-1895 : ".*" regexp leads to static code injection
- CVE-2002-2175 : insertion of username into regexp results in partial comparison, causing wrong database entry to be updated when one username is a substring of another.
- CVE-2006-4527 : regexp intended to verify that all characters are legal, only checks that at least one is legal, enabling file inclusion.
- CVE-2005-1949 : Regexp for IP address isn't anchored at the end, allowing appending of shell metacharacters.
- CVE-2002-2109 : Regexp isn't "anchored" to the beginning or end, which allows spoofed values that have trusted values as substrings.
- CVE-2006-6511 : regexp in .htaccess file allows access of files whose names contain certain substrings
- CVE-2006-6629 : allow load of macro files whose names contain certain substrings.
- : VIM Mailing list, March 14, 2006
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
|CERT Java Secure Coding ||IDS08-J ||Sanitize untrusted data passed to a regex || |
- Mark Dowd John McDonald Justin Schuh .The Art of Software Security Assessment 1st Edition. Addison Wesley. Section:'Chapter 8, "Character Stripping Vulnerabilities", Page
437.'. Published on 2006.