Fixed a security issue with the regular expressions

- as discovered and reported by Egidio Romano of Minded Security

- Users with the perm_regex permissions could create a malicious regex that leads to RCE using the PHP /e modifier for preg_replace().
- Regular expressions are now sanitised on edit / creation of the malicious modifier

- also added an admin tool that lets admins clean their current set of regexes of the harmful modifier

app/Controller/RegexpController.php

@@ -220,4 +220,21 @@ class RegexpController extends AppController {
 		$this->Session->setFlash(__('All done! Number of changed attributes: ' . $modifications . ' Number of deletions: ' . count($deletable)));
 		$this->redirect(array('action' => 'index'));
 	}
+	
+
+	public function cleanRegexModifiers() {
+		if (!$this->_isSiteAdmin() || !$this->request->is('post')) throw new MethodNotAllowedException();
+		$entries = $this->Regexp->find('all', array());
+		$changes = 0;
+		foreach($entries as $entry) {
+			$length = strlen($entry['Regexp']['regexp']);
+			$this->Regexp->sanitizeModifiers($entry['Regexp']['regexp']);
+			if (strlen($entry['Regexp']['regexp']) < $length) {
+				$this->Regexp->save($entry);
+				$changes++;
+			}
+		}
+		$this->Session->setFlash(__('All done! Found and cleaned ' . $changes . ' potentially malcious regexes.'));
+		$this->redirect('/pages/display/administration');
+	}
 }

app/Model/Regexp.php

@@ -30,6 +30,20 @@ class Regexp extends AppModel {
  */
 	public $useTable = 'regexp';
 
+	public function beforeValidate($options = array()) {
+		$this->sanitizeModifiers($this->data['Regexp']['regexp']);
+	}
+	
+	public function sanitizeModifiers(&$regex) {
+		preg_match('/[a-zA-Z]*$/i', $regex, $modifiers);
+		if (!empty($modifiers[0])) {
+			$modifier_length = strlen($modifiers[0]);
+			$regex = substr($regex, 0, -$modifier_length);
+			$modifiers[0] = str_ireplace('e', '', $modifiers[0]);
+			$regex .= $modifiers[0];
+		}
+	}
+	
 	public function checkRegexp() {
 		if (@preg_replace($this->data['Regexp']['regexp'], 'success', $this->data['Regexp']['regexp']) != null) return true;
 		return false;

app/View/Pages/administration.ctp

@@ -19,6 +19,7 @@ if (!$isSiteAdmin) exit();
 <li><?php echo $this->Form->postLink('Fix duplicate UUIDs', '/servers/pruneDuplicateUUIDs');?> (Hotfix 2.3.107: it was previously possible to get duplicate attribute UUIDs in the database, this script will remove all duplicates and ensure that duplicates will not be entered into the database in the future.)</li>
 <li><?php echo $this->Form->postLink('Remove dupicate events (with the same UUID)', '/servers/removeDuplicateEvents');?> (Hotfix 2.3.115: In some rare situations it could occur that a duplicate of an event was created on an instance, with the exact same uuid. This action will remove any such duplicates and make sure that this cannot happen again.)</li>
 <li><?php echo $this->Form->postLink('Prune orphaned attributes', '/attributes/pruneOrphanedAttributes');?> (In some rare occasions it can happen that you end up with some attributes in your database that do not belong to an event - for example during a race condition between an event insert and a delete. This tool will collect and delete any such orphaned attributes. If you ever run into an issue where you cannot add an attribute with a specific valid value, this is probably the reason.)</li>
+<li><?php echo $this->Form->postLink('Clean regex table of potentially malicious entries', '/regexp/cleanRegexModifiers');?> (Hotfix 2.3.160: Prior to this version it was possible for a user/admin with Regex permission to create a malicious regular expression that could be used to execute arbitrary code. Since this version it is no longer possible to input such expressions, but already existing malicious entries still have to be cleaned using this tool.)</li>
 </ul>
 </div>
 <?php