Incorrect Regular Expression
Weakness ID: 185 (Weakness Class)Status: Draft
+ Description

Description Summary

The software specifies a regular expression in a way that causes data to be improperly sanitized or compared.
+ Time of Introduction
  • Implementation
+ Applicable Platforms



+ Common Consequences

In PHP, regular expression checks can sometimes be bypassed with a null byte, leading to any number of weaknesses.

+ Observed Examples
CVE-2002-2109Regexp isn't "anchored" to the beginning or end, which allows spoofed values that have trusted values as substrings.
CVE-2005-1949Regexp for IP address isn't anchored at the end, allowing appending of shell metacharacters.
CVE-2001-1072Bypass access restrictions via multiple leading slash, which causes a regular expression to fail.
CVE-2000-0115Local user DoS via invalid regular expressions.
CVE-2002-1527Error infoleak via malformed input that generates a regular expression error.
CVE-2005-1061Certain strings are later used in a regexp, leading to a resultant crash.
CVE-2005-2169MFV. Regular expression intended to protect against directory traversal reduces ".../...//" to "../".
CVE-2005-0603Malformed regexp syntax leads to error infoleak.
CVE-2005-1820Code injection due to improper quoting of regular expression.
CVE-2005-3153Null byte bypasses PHP regexp check.
CVE-2005-4155Null byte bypasses PHP regexp check.
+ Potential Mitigations

Regular expressions can become error prone when defining a complex language even for those experienced in writing grammars. Determine if several smaller regular expressions simplifies one large regular expression. Also, subject your regular expression to thorough testing techniques such as equivalence partitioning, boundary value analysis, and robustness. After testing and a reasonable confidence level is achieved a regular expression may not be full proof. If an exploit is allowed to slip through, then record the exploit and refactor your regular expression.

+ Other Notes

Keywords: regexp

This can seem to overlap whitelist/blacklist problems, but it is intended to deal with improperly written regular expressions, regardless of the values that those regular expressions use. While whitelists and blacklists are often implemented using regular expressions, they can be implemented using other mechanisms as well.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory171Cleansing, Canonicalization, and Comparison Errors
Development Concepts (primary)699
ChildOfWeakness ClassWeakness Class697Insufficient Comparison
Research Concepts (primary)1000
CanPrecedeWeakness BaseWeakness Base182Collapse of Data Into Unsafe Value
Research Concepts1000
CanPrecedeWeakness BaseWeakness Base187Partial Comparison
Research Concepts1000
ParentOfWeakness BaseWeakness Base186Overly Restrictive Regular Expression
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base625Permissive Regular Expression
Development Concepts (primary)699
Research Concepts (primary)1000
+ Research Gaps

Regexp errors are likely a primary factor in many MFVs, especially those that require multiple manipulations to exploit. However, they are rarely diagnosed at this level of detail.

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERRegular Expression Error
+ Related Attack Patterns
CAPEC-IDAttack Pattern Name
(CAPEC Version: 1.4)
15Command Delimiters
79Using Slashes in Alternate Encoding
6Argument Injection
+ References
[REF-11] M. Howard and D. LeBlanc. "Writing Secure Code". Chapter 10, "Using Regular Expressions for Checking Input" Page 350. 2nd Edition. Microsoft. 2002.
+ Content History
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Description, Name, Relationships, Observed Example, Other Notes, Taxonomy Mappings
2009-12-28CWE Content TeamMITREInternal
updated Common Consequences, Other Notes
Previous Entry Names
Change DatePrevious Entry Name
2008-09-09Regular Expression Error