summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorThomas Bruederli <thomas@roundcube.net>2013-05-01 13:26:07 +0200
committerThomas Bruederli <thomas@roundcube.net>2013-05-01 13:26:07 +0200
commitc2e1ab4765ea69112791df3607faadf1bbf8b9c9 (patch)
tree7378a7fe6bee801a967e711d1cd5a756dd6d16cc
parentf790b443353866c25d28bf32fb5bef20e9186aea (diff)
Escape user input values when used in eval()
-rw-r--r--program/lib/Roundcube/rcube_ldap.php16
1 files changed, 9 insertions, 7 deletions
diff --git a/program/lib/Roundcube/rcube_ldap.php b/program/lib/Roundcube/rcube_ldap.php
index 47e96c32b..922c73568 100644
--- a/program/lib/Roundcube/rcube_ldap.php
+++ b/program/lib/Roundcube/rcube_ldap.php
@@ -1403,13 +1403,15 @@ class rcube_ldap extends rcube_addressbook
foreach ((array)$this->prop['autovalues'] as $lf => $templ) {
if (empty($attrs[$lf])) {
- // replace {attr} placeholders with concrete attribute values
- $templ = preg_replace('/\{\w+\}/', '', strtr($templ, $attrvals));
-
- if (strpos($templ, '(') !== false)
- $attrs[$lf] = eval("return ($templ);");
- else
- $attrs[$lf] = $templ;
+ if (strpos($templ, '(') !== false) {
+ // replace {attr} placeholders with (escaped!) attribute values to be safely eval'd
+ $code = preg_replace('/\{\w+\}/', '', strtr($templ, array_map('addslashes', $attrvals)));
+ $attrs[$lf] = eval("return ($code);");
+ }
+ else {
+ // replace {attr} placeholders with concrete attribute values
+ $attrs[$lf] = preg_replace('/\{\w+\}/', '', strtr($templ, $attrvals));
+ }
}
}
}