[wp-trac] [WordPress Trac] #9602: eval problem in classes.php and rewrite.php
WordPress Trac
wp-trac at lists.automattic.com
Wed Aug 19 14:25:07 UTC 2009
#9602: eval problem in classes.php and rewrite.php
--------------------------+-------------------------------------------------
Reporter: obsidiandh | Owner: westi
Type: defect (bug) | Status: reviewing
Priority: low | Milestone: 2.9
Component: Permalinks | Version: 2.7.1
Severity: minor | Keywords: has-patch tested dev-feedback
--------------------------+-------------------------------------------------
Comment(by Hans Spath):
I think eval() should be avoided at all cost.
I haven't checked if it's possible and it doesn't look like it, but
'''if''' a site visitor somehow manages to modify or control parts of
$query (not $matches), you have a serious problem (addslashes() won't
protect you):
Demonstration:
{{{
<?php
$userstr = '&blabla={$x[die(join(null,array_map(chr(99).chr(104).'
. 'chr(114),array(72,105,32,87,111,114,100,112,114,101,115,115,44,'
. '32,101,118,97,108,32,105,115,32,101,118,105,108,46,10))))]}';
$query = '?page_id=$matches[0]&$matches[2]=$matches[3]' . $userstr;
$matches = array('a', 'b', 'c', 'd');
eval("\$query = \"" . addslashes($query) . "\";");
echo "Hello world!";
echo "\$query is '$query'\n";
}}}
Output:
{{{
Hi Wordpress, eval is evil.
}}}
--
Ticket URL: <http://core.trac.wordpress.org/ticket/9602#comment:18>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list