[theme-reviewers] [WordPress Themes] #2186: THEME: impressIO -1.0

Otto otto at ottodestruct.com
Wed Jan 5 12:44:35 UTC 2011


The old scan is still in effect, and it's not perfect. The new
theme-checker is better and would have caught that, except that it's
not enabled for must-pass yet. Won't be until after 3.1.

-Otto



On Wed, Jan 5, 2011 at 6:35 AM, Jay <furcifer at furcifer.me> wrote:
> i thought the uploader scanned for eval?
>
> "Philip M. Hofer (Frumph)" <philip at frumph.net> wrote:
>
>>$cap = new autoconfig();
>>
>>He's using $cap->var;  to get the variable, and you just wrote exactly
>>what
>>I was going to write ;)
>>
>>
>>- Phil
>>
>>
>>
>>----- Original Message -----
>>From: "Otto" <otto at ottodestruct.com>
>>To: <theme-reviewers at lists.wordpress.org>
>>Sent: Wednesday, January 05, 2011 4:04 AM
>>Subject: Re: [theme-reviewers] [WordPress Themes] #2186: THEME:
>>impressIO -1.0
>>
>>
>>> For the specific case of eval, whether it is harmful or not is
>>> irrelevant. We do not allow use of eval() in themes. Period.
>>>
>>> And for the record, this is one of the stupidest functions I've ever
>>seen:
>>>
>>> public function fetchConfig($fn){
>>> $code = '$this->' . $fn;
>>> eval("return $code");
>>> }
>>>
>>> I guess the point seems to be to return $this->foo where $fn='foo',
>>> but there's a few problems with it.
>>>
>>> Firstly, it doesn't make any sense. Why take the input, build a
>>> string, and then eval that string? If you want to return $this->foo
>>> when $fn = 'foo', then a simple "return $this->$fn;" would do the
>>> trick just fine.
>>>
>>> Secondly, it doesn't work. "return $code" will return a syntax error
>>> due to the lack of the ending semi-colon on the code.
>>>
>>> Thirdly, I can't find any reference to it in any of the other files.
>>> If this isn't being used, why is it in there at all?
>>>
>>> No, I wouldn't allow it through with that in there.
>>>
>>> -Otto
>>>
>>> On Wed, Jan 5, 2011 at 5:42 AM, Radu Ganea <raduganea at raduganea.com>
>>> wrote:
>>>> Hi guys,
>>>>
>>>> I will update the TimThumb to the latest version.
>>>> Could you please take a closer look at the "eval()" function I am
>>using
>>>> and
>>>> see if it really is harmful? I really think it isn't.
>>>>
>>>> Thanks
>>> _______________________________________________
>>> theme-reviewers mailing list
>>> theme-reviewers at lists.wordpress.org
>>> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>>>
>>
>>
>>_______________________________________________
>>theme-reviewers mailing list
>>theme-reviewers at lists.wordpress.org
>>http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>
> --
> Mobile, wolf is mobile.
> Http://furcifer.net
> _______________________________________________
> theme-reviewers mailing list
> theme-reviewers at lists.wordpress.org
> http://lists.wordpress.org/mailman/listinfo/theme-reviewers
>


More information about the theme-reviewers mailing list