mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 12:05:37 +00:00
d8a1df4312
It shouldnt be possible to get ConfigStaticManifest to parse a user uploaded file, and if you could it shouldnt be possible to form PHP that token_get_all could parse which would end up executing any code. However just in case it is, this changes the eval to assign to a static, so the eval will give a syntax error if an attacker manages to make $value look like `ls` or some other expression