id	summary	reporter	owner	description	type	status	priority	milestone	component	version	severity	resolution	keywords	cc
8689	WordPress must not use preg_replace with /e	BenBE	ryan	"When a server runs the Suhosin Patch one option allows web administrators to enable certain security-related functionality like disabling remote URL inclusion or disabling certain functions like eval with much better granularity. One of this options you can choose from is to disable the /e modifier of the preg_replace command as this modifier allows for arbitary code to get executed.

If this option is enabled parts of WordPress stop working. So you either can patch all those locations by hand every time you need to update your WordPress blog or stop using WordPress or kindly ask the developers to cease using preg_replace with /e modifier and instead switch to using preg_replace_callback which in return provides you with much more flexibility.

Affected locations in WordPress 2.7 (DE version) are:
{{{
File wordpress\wp-admin\import\blogger.php
     553  		$post_content = preg_replace('|<(/?[A-Z]+)|e', ""'<' . strtolower('$1')"", $post_content);
     606  		$comment_content = preg_replace('|<(/?[A-Z]+)|e', ""'<' . strtolower('$1')"", $comment_content);
File wordpress\wp-admin\import\blogware.php
      92  			$post_content = preg_replace('|<(/?[A-Z]+)|e', ""'<' . strtolower('$1')"", $post_content);
     132  					$comment_content = preg_replace('|<(/?[A-Z]+)|e', ""'<' . strtolower('$1')"", $comment_content);
File wordpress\wp-admin\import\livejournal.php
      73  			$post_content = preg_replace('|<(/?[A-Z]+)|e', ""'<' . strtolower('$1')"", $post_content);
     109  					$comment_content = preg_replace('|<(/?[A-Z]+)|e', ""'<' . strtolower('$1')"", $comment_content);
File wordpress\wp-admin\import\rss.php
     106  			$post_content = preg_replace('|<(/?[A-Z]+)|e', ""'<' . strtolower('$1')"", $post_content);
File wordpress\wp-admin\import\wordpress.php
     384  		$post_excerpt = preg_replace('|<(/?[A-Z]+)|e', ""'<' . strtolower('$1')"", $post_excerpt);
     389  		$post_content = preg_replace('|<(/?[A-Z]+)|e', ""'<' . strtolower('$1')"", $post_content);
File wordpress\wp-content\plugins\ajaxd-wordpress\control\aWP-admin.php
      55  			$options = preg_replace('!s:(\d+):""(.*?)"";!e', ""'s:'.strlen('$2').':\""$2\"";'"", $options );
File wordpress\wp-includes\class-phpmailer.php
    1423          $encoded = preg_replace('/([\000-\011\013\014\016-\037\075\077\137\177-\377])/e',
File wordpress\wp-includes\formatting.php
    1151  		$subject = preg_replace('#\=([0-9a-f]{2})#ei', ""chr(hexdec(strtolower('$1')))"", $subject);
File wordpress\wp-includes\kses.php
     397  	return preg_replace('%((<!--.*?(-->|$))|(<[^>]*(>|$)|>))%e',
    1002  	$string = preg_replace('/&#([0-9]+);/e', 'chr(""\\1"")', $string);
    1003  	$string = preg_replace('/&#[Xx]([0-9A-Fa-f]+);/e', 'chr(hexdec(""\\1""))', $string);
File wordpress\wp-includes\post-template.php
     226  		$output =	preg_replace('/\%u([0-9A-F]{4,4})/e',	""'&#'.base_convert('\\1',16,10).';'"", $output);
File wordpress\wp-includes\js\tinymce\plugins\spellchecker\classes\GoogleSpell.php
     109  		$string = preg_replace('~&#x([0-9a-f]+);~ei', 'chr(hexdec(""\\1""))', $string);
     110  		$string = preg_replace('~&#([0-9]+);~e', 'chr(\\1)', $string);
}}}

In order to quickly find the places where such a call is present, you can use the following regular expression:
{{{
/preg_replace\s*\(\s*'(.).+?\1[^']*?e[^']*'/
}}}"	defect (bug)	closed	high	2.8	Security	2.7	major	fixed	has-patch tested commit	westi tbaboon