CWE - CWE-185: Regular Expression Error (Draft 9)

Home > CWE List > CWE-185 Individual Dictionary Definition (Draft 9)

CWE List
Full Dictionary View
Classification Tree
Reports

About
Sources
Process
Documents

Community
Related Activities
Discussion List
Research

News
Calendar
Free Newsletter

Compatibility
Program
Requirements
Declarations
Make a Declaration

Contact Us
Search the Site

Section Contents
CWE List
Full Dictionary View
Classification Tree
Reports
Other Items of Interest
Sources

Key
- Weakness
- Base
- Variant
- Class
- Chain
- Composite
- Category
- View
- Deprecated

CWE-185 Individual Dictionary Definition (Draft 9)

Weakness ID

Status: Draft

185 (Weakness Class)

Description

Summary

A regular expression is incorrectly specified in a way that causes data to be improperly filtered, compared, or cleansed.

Potential Mitigations

Regular expressions can become error prone when defining a complex language even for those experienced in writing grammars. Determine if several smaller regular expressions simplifies one large regular expression. Also, subject your regular expression to thorough testing techniques such as equivalence partitioning, boundary value analysis, and robustness. After testing and a reasonable confidence level is achieved a regular expression may not be full proof. If an exploit is allowed to slip through, then record the exploit and refactor your regular expression.

Observed Examples

Reference	Description
CVE-2002-2109	Regexp isn't "anchored" to the beginning or end, which allows spoofed values that have trusted values as substrings.
CVE-2005-1949	Regexp for IP address isn't anchored at the end, allowing appending of shell metacharacters.
CVE-2001-1072	Bypass access restrictions via multiple leading slash, which causes a regular expression to fail.
CVE-2000-0115	Local user DoS via invalid regular expressions.
CVE-2002-1527	Error infoleak via malformed input that generates a regular expression error.
CVE-2005-0603	Error infoleak via regular expression with invalid syntax.
CVE-2005-1061	Certain strings are later used in a regexp, leading to a resultant crash.
CVE-2005-2169	MFV. Regular expression intended to protect against directory traversal reduces ".../...//" to "../".
CVE-2005-0603	Malformed regexp syntax leads to error infoleak.
CVE-2005-1820	Code injection due to improper quoting of regular expression.
CVE-2005-3153	Null byte bypasses PHP regexp check.
CVE-2005-4155	Null byte bypasses PHP regexp check.

Context Notes

Keywords: regexp

This can seem to overlap whitelist/blacklist problems, but it is intended to deal with improperly written regular expressions, regardless of the values that those regular expressions use.

Can overlap partial comparison.

Interacts with null byte in PHP.

Research Gaps

Regexp errors are likely a primary factor in many MFVs, especially those that require multiple manipulations to exploit. However, they are rarely diagnosed at this level of detail.

Relationships

Nature	Type	ID	Name
ChildOf	Category	171	Cleansing, Canonicalization, and Comparison Errors
CanAlsoBe	Weakness Base	187	Partial Comparison
CanAlsoBe	Weakness Base	182	Collapse of Data Into Unsafe Value
ParentOf	Weakness Base	186	Overly Restrictive Regular Expression
ParentOf	Weakness Base	625	Permissive Regular Expression

Source Taxonomies

PLOVER - Regular Expression Error

Applicable Platforms

All

Related Attack Patterns

CAPEC-ID	Attack Pattern Name
79	Using Slashes in Alternate Encoding
15	Command Delimiters
6	Argument Injection

Page Last Updated: April 21, 2008


	CWE is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. This Web site is hosted by The MITRE Corporation. Copyright 2008, The MITRE Corporation. CWE and the CWE logo are trademarks of The MITRE Corporation. Contact cwe@mitre.org for more information.	Privacy policy Terms of use Contact us