Issue #2508735 by darol100, dawehner, pwolanin, Chi, Fabianx, tim.plunkett: Code injection via preg_replace()

core/lib/Drupal/Core/Block/BlockBase.php

@@ -265,14 +265,9 @@ abstract class BlockBase extends ContextAwarePluginBase implements BlockPluginIn
     //   \Drupal\system\MachineNameController::transliterate(), so it might make
     //   sense to provide a common service for the two.
     $transliterated = $this->transliteration()->transliterate($admin_label, LanguageInterface::LANGCODE_DEFAULT, '_');
-
-    $replace_pattern = '[^a-z0-9_.]+';
-
     $transliterated = Unicode::strtolower($transliterated);
 
-    if (isset($replace_pattern)) {
-      $transliterated = preg_replace('@' . $replace_pattern . '@', '', $transliterated);
-    }
+    $transliterated = preg_replace('@[^a-z0-9_.]+@', '', $transliterated);
 
     return $transliterated;
   }

core/modules/image/src/PathProcessor/PathProcessorImageStyles.php

@@ -43,7 +43,7 @@ class PathProcessorImageStyles implements InboundPathProcessorInterface {
     }
 
     // Strip out path prefix.
-    $rest = preg_replace('|^' . $path_prefix . '|', '', $path);
+    $rest = preg_replace('|^' . preg_quote($path_prefix, '|') . '|', '', $path);
 
     // Get the image style, scheme and path.
     if (substr_count($rest, '/') >= 2) {

core/modules/system/src/MachineNameController.php

@@ -67,7 +67,7 @@ class MachineNameController implements ContainerInjectionInterface {
       $transliterated = Unicode::strtolower($transliterated);
     }
     if(isset($replace_pattern) && isset($replace)) {
-      $transliterated = preg_replace('@' . $replace_pattern . '@', $replace, $transliterated);
+      $transliterated = preg_replace('@' . preg_quote($replace_pattern, '@') . '@', $replace, $transliterated);
     }
     return new JsonResponse($transliterated);
   }