From 424e3ac8b23a56d4287f1324f2e28bb413d744c3 Mon Sep 17 00:00:00 2001
From: Ralf Becker <ralfbecker@outdoor-training.de>
Date: Mon, 13 May 2002 14:46:47 +0000
Subject: [PATCH] closed security hole of using evaled code to show globals
 vars (which contain eg. passwords)

---
 addressbook/csv_import.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/addressbook/csv_import.php b/addressbook/csv_import.php
index 3ff7ef46b8..9f8b43fef6 100644
--- a/addressbook/csv_import.php
+++ b/addressbook/csv_import.php
@@ -329,7 +329,8 @@
 								}
 								if($val[0] == '@')
 								{
-									$val = 'return '.substr($val,1).';';
+									// removing the $ to close security hole of showing vars, which contain eg. passwords
+									$val = 'return '.substr(str_replace('$','',$val),1).';';
 									// echo "<p>eval('$val')=";
 									$val = eval($val);
 									// echo "'$val'</p>";