Permissive Regular Expression
Weakness ID: 625 (Weakness Base)Status: Draft
+ Description

Description Summary

The product uses a regular expression that does not sufficiently restrict the set of allowed values.

Extended Description

This effectively causes the regexp to accept substrings that match the pattern, which produces a partial comparison to the target. In some cases, this can lead to other weaknesses. Common errors include:

  • not identifying the beginning and end of the target string

  • using wildcards instead of acceptable character ranges

  • others

+ Time of Introduction
  • Implementation
+ Applicable Platforms

Languages

Perl

PHP

+ Demonstrative Examples

Example 1

(Bad Code)
Example Language: PerlĀ 
$phone = GetPhoneNumber();
if ($phone =~ /\d+-\d+/) {
# looks like it only has hyphens and digits
system("lookup-phone $phone");
}
else {
error("malformed number!");
}

An attacker could provide an argument such as: "; ls -l ; echo 123-456" This would pass the check, since "123-456" is sufficient to match the "\d+-\d+" portion of the regular expression.

+ Observed Examples
ReferenceDescription
CVE-2006-1895".*" regexp leads to static code injection
CVE-2002-2175insertion of username into regexp results in partial comparison, causing wrong database entry to be updated when one username is a substring of another.
CVE-2006-4527regexp intended to verify that all characters are legal, only checks that at least one is legal, enabling file inclusion.
CVE-2005-1949Regexp for IP address isn't anchored at the end, allowing appending of shell metacharacters.
CVE-2002-2109Regexp isn't "anchored" to the beginning or end, which allows spoofed values that have trusted values as substrings.
CVE-2006-6511regexp in .htaccess file allows access of files whose names contain certain substrings
CVE-2006-6629allow load of macro files whose names contain certain substrings.
VIM Mailing list, March 14, 2006
+ Potential Mitigations

When applicable, ensure that your regular expression marks beginning and ending string patterns, such as "/^string$/" for Perl.

+ Other Notes

This problem is frequently found when the regular expression is used in input validation or security features such as authentication.

+ Weakness Ordinalities
OrdinalityDescription
Primary
(where the weakness exists independent of other weaknesses)
+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfWeakness ClassWeakness Class185Incorrect Regular Expression
Development Concepts (primary)699
Research Concepts (primary)1000
PeerOfWeakness BaseWeakness Base183Permissive Whitelist
Research Concepts1000
PeerOfWeakness BaseWeakness Base184Incomplete Blacklist
Research Concepts1000
PeerOfWeakness BaseWeakness Base187Partial Comparison
Research Concepts1000
ParentOfWeakness VariantWeakness Variant777Regular Expression without Anchors
Development Concepts (primary)699
Research Concepts (primary)1000
+ Content History
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Applicable Platforms, Description, Relationships, Observed Example, Other Notes, Weakness Ordinalities
2009-03-10CWE Content TeamMITREInternal
updated Description
2009-05-27CWE Content TeamMITREInternal
updated Demonstrative Examples
2009-07-27CWE Content TeamMITREInternal
updated Relationships