[wp-trac] [WordPress Trac] #27805: Widget Customizer: Eliminate reliance on create_function()

Tue Apr 15 00:31:26 UTC 2014

#27805: Widget Customizer: Eliminate reliance on create_function()
--------------------------+-------------------
 Reporter:  westonruter   |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  3.9
Component:  Appearance    |    Version:  trunk
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-------------------
 There are concerns that `create_function` could be used in a RCE exploit,
 even though `var_export` is used to ensure the string supplied to the
 function body format is a valid PHP string literal.

 The code in question is:

 {{{#!php
 /*
  * @todo Replace the next two lines with the following once WordPress
 supports PHP 5.3.
  *
  * $self = $this; // not needed in PHP 5.4
  *
  * $function = function ( $value ) use ( $self, $setting_id ) {
  *              return
 $self->manager->widgets->prepreview_added_widget_instance( $value,
 $setting_id );
  * };
  */
 $body     = sprintf( 'global $wp_customize; return
 $wp_customize->widgets->prepreview_added_widget_instance( $value, %s );',
 var_export( $setting_id, true ) );
 $function = create_function( '$value', $body );
 }}}

--
Ticket URL: <https://core.trac.wordpress.org/ticket/27805>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform