From 59f299085195fbb21e6b712f3e7cb5318fee1f09 Mon Sep 17 00:00:00 2001
From: Ralf Becker <ralfbecker@outdoor-training.de>
Date: Mon, 13 May 2002 15:15:29 +0000
Subject: [PATCH] closed security hole of using evaled code to show globals
 vars (which contain eg. passwords)

---
 infolog/csv_import.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/infolog/csv_import.php b/infolog/csv_import.php
index d4b9cb2b9d..11aacc87d8 100644
--- a/infolog/csv_import.php
+++ b/infolog/csv_import.php
@@ -322,7 +322,8 @@ function cat_id($cats)
 								$val = str_replace($CPre.$vars[1].$CPos,$val[0] == '@' ? "'".addslashes($fields[index($vars[1],$csv_fields)])."'" : $fields[index($vars[1],$csv_fields)],$val);
 							}
 							if ($val[0] == '@') {
-								$val = 'return '.substr($val,1).';';
+								// removing the $ to close security hole of showing vars, which contain eg. passwords
+								$val = 'return '.substr(str_replace('$','',$val),1).';';
 								// echo "<p>eval('$val')=";
 								$val = eval($val);
 								// echo "'$val'</p>";