CWE
Home > CWE List > CWE- Individual Dictionary Definition (1.6)  

CWE-185: Incorrect Regular Expression

 
Incorrect Regular Expression
Weakness ID: 185 (Weakness Class)Status: Draft
+ Description

Description Summary

The software specifies a regular expression in a way that causes data to be improperly sanitized or compared.
+ Time of Introduction
  • Implementation
+ Applicable Platforms

Languages

All

+ Observed Examples
ReferenceDescription
CVE-2002-2109Regexp isn't "anchored" to the beginning or end, which allows spoofed values that have trusted values as substrings.
CVE-2005-1949Regexp for IP address isn't anchored at the end, allowing appending of shell metacharacters.
CVE-2001-1072Bypass access restrictions via multiple leading slash, which causes a regular expression to fail.
CVE-2000-0115Local user DoS via invalid regular expressions.
CVE-2002-1527Error infoleak via malformed input that generates a regular expression error.
CVE-2005-1061Certain strings are later used in a regexp, leading to a resultant crash.
CVE-2005-2169MFV. Regular expression intended to protect against directory traversal reduces ".../...//" to "../".
CVE-2005-0603Malformed regexp syntax leads to error infoleak.
CVE-2005-1820Code injection due to improper quoting of regular expression.
CVE-2005-3153Null byte bypasses PHP regexp check.
CVE-2005-4155Null byte bypasses PHP regexp check.
+ Potential Mitigations
PhaseDescription

Regular expressions can become error prone when defining a complex language even for those experienced in writing grammars. Determine if several smaller regular expressions simplifies one large regular expression. Also, subject your regular expression to thorough testing techniques such as equivalence partitioning, boundary value analysis, and robustness. After testing and a reasonable confidence level is achieved a regular expression may not be full proof. If an exploit is allowed to slip through, then record the exploit and refactor your regular expression.

+ Other Notes

Keywords: regexp

This can seem to overlap whitelist/blacklist problems, but it is intended to deal with improperly written regular expressions, regardless of the values that those regular expressions use. While whitelists and blacklists are often implemented using regular expressions, they can be implemented using other mechanisms as well.

Interacts with null byte in PHP.

+ Relationships
NatureTypeIDNameView(s) this relationship pertains toView(s)
ChildOfCategoryCategory171Cleansing, Canonicalization, and Comparison Errors
Development Concepts (primary)699
CanPrecedeWeakness BaseWeakness Base182Collapse of Data Into Unsafe Value
Research Concepts1000
CanPrecedeWeakness BaseWeakness Base187Partial Comparison
Research Concepts1000
ChildOfWeakness ClassWeakness Class697Insufficient Comparison
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base186Overly Restrictive Regular Expression
Development Concepts (primary)699
Research Concepts (primary)1000
ParentOfWeakness BaseWeakness Base625Permissive Regular Expression
Development Concepts (primary)699
Research Concepts (primary)1000
+ Research Gaps

Regexp errors are likely a primary factor in many MFVs, especially those that require multiple manipulations to exploit. However, they are rarely diagnosed at this level of detail.

+ Taxonomy Mappings
Mapped Taxonomy NameNode IDFitMapped Node Name
PLOVERRegular Expression Error
+ Content History
Submissions
Submission DateSubmitterOrganizationSource
PLOVERExternally Mined
Modifications
Modification DateModifierOrganizationSource
2008-07-01Eric DalciCigitalExternal
updated Time of Introduction
2008-09-08CWE Content TeamMITREInternal
updated Description, Name, Relationships, Observed Example, Other Notes, Taxonomy Mappings
Page Last Updated: October 29, 2009