From d8a1df4312fb717f95cedbfa8babcb403f0b51ee Mon Sep 17 00:00:00 2001 From: Hamish Friedlander Date: Wed, 13 Mar 2013 12:42:48 +1300 Subject: [PATCH] Further secure eval call in ConfigStaticManifest It shouldnt be possible to get ConfigStaticManifest to parse a user uploaded file, and if you could it shouldnt be possible to form PHP that token_get_all could parse which would end up executing any code. However just in case it is, this changes the eval to assign to a static, so the eval will give a syntax error if an attacker manages to make $value look like `ls` or some other expression --- core/manifest/ConfigStaticManifest.php | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/core/manifest/ConfigStaticManifest.php b/core/manifest/ConfigStaticManifest.php index 074bdbd0a..3689f59c8 100644 --- a/core/manifest/ConfigStaticManifest.php +++ b/core/manifest/ConfigStaticManifest.php @@ -318,9 +318,17 @@ class SS_ConfigStaticManifest_Parser { $this->statics[$class] = array(); } + $value = trim($value); + if ($value) { + $value = eval('static $temp = '.$value.";\n".'return $temp'.";\n"); + } + else { + $value = null; + } + $this->statics[$class][$variable] = array( 'access' => $access, - 'value' => eval('return '.trim($value).";\n") + 'value' => $value ); if($token == ',') $this->parseStatic($access, $class);