From 72b929d82e76286cf9d90629e544c7472bb6974f Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Wed, 1 Jul 2020 14:35:17 +0200
Subject: Fix a yara warning

This shouldn't impact detection much, while fixing
a scary warning
---
 php-malware-finder/php.yar | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar
index de5b1f7..dab8cbf 100644
--- a/php-malware-finder/php.yar
+++ b/php-malware-finder/php.yar
@@ -92,7 +92,7 @@ rule DodgyPhp
         $iis_com = /IIS:\/\/localhost\/w3svc/
         $include = /include\s*\(\s*[^\.]+\.(png|jpg|gif|bmp)/  // Clever includes
         $ini_get = /ini_(get|set|restore)\s*\(\s*['"](safe_mode|open_basedir|disable_(function|classe)s|safe_mode_exec_dir|safe_mode_include_dir|register_globals|allow_url_include)/ nocase
-        $pr = /(preg_replace(_callback)?|mb_ereg_replace|preg_filter)\s*\(.+(\/|\\x2f)(e|\\x65)['"]/  nocase // http://php.net/manual/en/function.preg-replace.php
+        $pr = /(preg_replace(_callback)?|mb_ereg_replace|preg_filter)\s*\([^)]*(\/|\\x2f)(e|\\x65)['"]/  nocase // http://php.net/manual/en/function.preg-replace.php
         $register_function = /register_[a-z]+_function\s*\(\s*['"]\s*(eval|assert|passthru|exec|include|system|shell_exec|`)/  // https://github.com/nbs-system/php-malware-finder/issues/41
         $safemode_bypass = /\x00\/\.\.\/|LD_PRELOAD/
         $shellshock = /\(\)\s*{\s*[a-z:]\s*;\s*}\s*;/
-- 
cgit v1.3