Fix a yara warning

jvoisin · jvoisin · commit 72b929d82e76 · 2020-07-01T14:35:17.000+02:00
This shouldn't impact detection much, while fixing
a scary warning
diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar
@@ -92,7 +92,7 @@ rule DodgyPhp
         $iis_com = /IIS:\/\/localhost\/w3svc/
         $include = /include\s*\(\s*[^\.]+\.(png|jpg|gif|bmp)/  // Clever includes
         $ini_get = /ini_(get|set|restore)\s*\(\s*['"](safe_mode|open_basedir|disable_(function|classe)s|safe_mode_exec_dir|safe_mode_include_dir|register_globals|allow_url_include)/ nocase
-        $pr = /(preg_replace(_callback)?|mb_ereg_replace|preg_filter)\s*\(.+(\/|\\x2f)(e|\\x65)['"]/  nocase // http://php.net/manual/en/function.preg-replace.php
+        $pr = /(preg_replace(_callback)?|mb_ereg_replace|preg_filter)\s*\([^)]*(\/|\\x2f)(e|\\x65)['"]/  nocase // http://php.net/manual/en/function.preg-replace.php
         $register_function = /register_[a-z]+_function\s*\(\s*['"]\s*(eval|assert|passthru|exec|include|system|shell_exec|`)/  // https://github.com/nbs-system/php-malware-finder/issues/41
         $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/
         $shellshock = /\(\)\s*{\s*[a-z:]\s*;\s*}\s*;/
