holm/egroupware
1
1
Fork 0
forked from extern/egroupware
Code Issues Pull Requests Packages Projects Releases Wiki Activity

closed security hole of using evaled code to show globals vars (which contain eg. passwords)

Browse Source
This commit is contained in:
Ralf Becker 2002-05-13 15:15:29 +00:00
parent 424e3ac8b2
commit 59f2990851
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
infolog/csv_import.php
View File

@ -322,7 +322,8 @@ function cat_id($cats)
$val = str_replace($CPre.$vars[1].$CPos,$val[0] == '@' ? "'".addslashes($fields[index($vars[1],$csv_fields)])."'" : $fields[index($vars[1],$csv_fields)],$val);
}
if ($val[0] == '@') {
$val = 'return '.substr($val,1).';';
// removing the $ to close security hole of showing vars, which contain eg. passwords
$val = 'return '.substr(str_replace('$','',$val),1).';';
// echo "<p>eval('$val')=";
$val = eval($val);
// echo "'$val'</p>";