Page 2 of 2
Re: preventing header injection
Posted: Mon Mar 16, 2009 1:55 pm
by oboedrew
So it should look like this, right?
'|^[A-Za-z0-9_.-]+@[A-Za-z0-9_.-]+\.[A-Za-z]{2,6}$|D'
Should the D modifier be used any time a regex uses the ^ and $ boundaries?
Thanks,
Drew
Re: preventing header injection
Posted: Mon Mar 16, 2009 1:59 pm
by kaisellgren
oboedrew wrote:So it should look like this, right?
'|^[A-Za-z0-9_.-]+@[A-Za-z0-9_.-]+\.[A-Za-z]{2,6}$|D'
Should the D modifier be used any time a regex uses the ^ and $ boundaries?
Thanks,
Drew
Most likely yes unless you are using m modifier, which makes D to "disappear".
Re: preventing header injection
Posted: Mon Mar 16, 2009 2:12 pm
by oboedrew
Understood. Thanks for all the help, Kai!
Cheers,
Drew
Re: preventing header injection
Posted: Mon Mar 16, 2009 4:47 pm
by Benjamin
kaisellgren wrote:The modifier D makes the $ character to match the very end of the subject. Otherwise, it won't.
Are you saying that:
Code: Select all
$x = "hello\n";
// this would match $x
preg_match('#^hello$#');
// while this wouldn't?
preg_match('#^hello$#D');
Re: preventing header injection
Posted: Mon Mar 16, 2009 4:53 pm
by kaisellgren
In that code, the former matches while ladder does not.
Re: preventing header injection
Posted: Mon Mar 16, 2009 4:59 pm
by Benjamin
I didn't realize that. I usually trim everything anyway. Good to know

Re: preventing header injection
Posted: Mon Mar 16, 2009 5:02 pm
by kaisellgren
astions wrote: I usually trim everything anyway.
I usually have one space in front of my password... :/
Re: preventing header injection
Posted: Mon Mar 16, 2009 5:07 pm
by Benjamin
Well you'll still be able to login. I'll trim it on the login form too

Re: preventing header injection
Posted: Mon Mar 16, 2009 5:12 pm
by kaisellgren
astions wrote:Well you'll still be able to login. I'll trim it on the login form too

Kai.has_noscript_extension = true;

Re: preventing header injection
Posted: Mon Mar 16, 2009 5:15 pm
by Benjamin
It's trimmed server side.
Re: preventing header injection
Posted: Mon Mar 16, 2009 5:56 pm
by kaisellgren
astions wrote:It's trimmed server side.
Oh, I thought you meant you use JS to trim ("I'll trim it on the login form too").
Well, then it's even worse
