[theme-reviewers] [WordPress Themes] #2186: THEME: impressIO - 1.0

Otto otto at ottodestruct.com
Wed Jan 5 12:04:19 UTC 2011


For the specific case of eval, whether it is harmful or not is
irrelevant. We do not allow use of eval() in themes. Period.

And for the record, this is one of the stupidest functions I've ever seen:

public function fetchConfig($fn){
		$code = '$this->' . $fn;
		eval("return $code");
	}

I guess the point seems to be to return $this->foo where $fn='foo',
but there's a few problems with it.

Firstly, it doesn't make any sense. Why take the input, build a
string, and then eval that string? If you want to return $this->foo
when $fn = 'foo', then a simple "return $this->$fn;" would do the
trick just fine.

Secondly, it doesn't work. "return $code" will return a syntax error
due to the lack of the ending semi-colon on the code.

Thirdly, I can't find any reference to it in any of the other files.
If this isn't being used, why is it in there at all?

No, I wouldn't allow it through with that in there.

-Otto

On Wed, Jan 5, 2011 at 5:42 AM, Radu Ganea <raduganea at raduganea.com> wrote:
> Hi guys,
>
> I will update the TimThumb to the latest version.
> Could you please take a closer look at the "eval()" function I am using and
> see if it really is harmful? I really think it isn't.
>
> Thanks


More information about the theme-reviewers mailing list