getVariableToken() bypass #1

chinurho · 2014-03-05T14:48:33Z

PHP variables syntax parsers:

T_VARIABLE
'$' '{' expr '}'

Therefore, variables allows for the use of complex expressions in ${}.
Well, getVariableToken() can be bypassed, like tihs:

${@func}($evil);
${2+1}($evil);
${1?func:func}($evil);
...

The text was updated successfully, but these errors were encountered:

cfc4n · 2014-03-06T05:28:14Z

Yes, It's a bug. I'ill fixed it today. thank you very much.

cfc4n · 2014-03-06T13:31:12Z

hi,chinurho:
It's fixed at 0.4.3.Can you do once again to verify it?
thanks.

chinurho · 2014-03-07T11:21:14Z

bypass fix:

${${func}}($evil);
${(array)function(){}}($evil);

cfc4n · 2014-03-11T11:47:11Z

eh.You are right.I'll try it again.

cfc4n · 2014-05-27T08:34:02Z

OMG,I forget it for long time...So sorry.and I fixed it ,You'll try it again If you sow it.Thanks.

chinurho assigned cfc4n Mar 6, 2014

cfc4n closed this as completed Oct 15, 2014

Provide feedback