[wp-trac] [WordPress Trac] #9602: eval problem in classes.php and rewrite.php

WordPress Trac wp-trac at lists.automattic.com
Wed Aug 19 14:25:07 UTC 2009


#9602: eval problem in classes.php and rewrite.php
--------------------------+-------------------------------------------------
 Reporter:  obsidiandh    |       Owner:  westi                        
     Type:  defect (bug)  |      Status:  reviewing                    
 Priority:  low           |   Milestone:  2.9                          
Component:  Permalinks    |     Version:  2.7.1                        
 Severity:  minor         |    Keywords:  has-patch tested dev-feedback
--------------------------+-------------------------------------------------

Comment(by Hans Spath):

 I think eval() should be avoided at all cost.

 I haven't checked if it's possible and it doesn't look like it, but
 '''if''' a site visitor somehow manages to modify or control parts of
 $query (not $matches), you have a serious problem (addslashes() won't
 protect you):

 Demonstration:
 {{{
 <?php
 $userstr = '&blabla={$x[die(join(null,array_map(chr(99).chr(104).'
 . 'chr(114),array(72,105,32,87,111,114,100,112,114,101,115,115,44,'
 . '32,101,118,97,108,32,105,115,32,101,118,105,108,46,10))))]}';

 $query = '?page_id=$matches[0]&$matches[2]=$matches[3]' . $userstr;
 $matches = array('a', 'b', 'c', 'd');

 eval("\$query = \"" . addslashes($query) . "\";");
 echo "Hello world!";
 echo "\$query is '$query'\n";
 }}}

 Output:
 {{{
 Hi Wordpress, eval is evil.
 }}}

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/9602#comment:18>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list