summaryrefslogtreecommitdiff
path: root/program/lib/Roundcube
diff options
context:
space:
mode:
authorAleksander Machniak <alec@alec.pl>2013-05-01 13:56:35 +0200
committerAleksander Machniak <alec@alec.pl>2013-05-01 13:56:35 +0200
commit4741d17c7777ed64b0d90b9265125a5dc0d69432 (patch)
treedafca62e7f2b6ab25c7bd363371bfaf3deb1ac6c /program/lib/Roundcube
parentc2e1ab4765ea69112791df3607faadf1bbf8b9c9 (diff)
Use create_function() instead of eval()
Diffstat (limited to 'program/lib/Roundcube')
-rw-r--r--program/lib/Roundcube/rcube_ldap.php15
1 files changed, 14 insertions, 1 deletions
diff --git a/program/lib/Roundcube/rcube_ldap.php b/program/lib/Roundcube/rcube_ldap.php
index 922c73568..26f46a0f6 100644
--- a/program/lib/Roundcube/rcube_ldap.php
+++ b/program/lib/Roundcube/rcube_ldap.php
@@ -1396,6 +1396,10 @@ class rcube_ldap extends rcube_addressbook
*/
protected function add_autovalues(&$attrs)
{
+ if (empty($this->prop['autovalues'])) {
+ return;
+ }
+
$attrvals = array();
foreach ($attrs as $k => $v) {
$attrvals['{'.$k.'}'] = is_array($v) ? $v[0] : $v;
@@ -1406,7 +1410,16 @@ class rcube_ldap extends rcube_addressbook
if (strpos($templ, '(') !== false) {
// replace {attr} placeholders with (escaped!) attribute values to be safely eval'd
$code = preg_replace('/\{\w+\}/', '', strtr($templ, array_map('addslashes', $attrvals)));
- $attrs[$lf] = eval("return ($code);");
+ $fn = create_function('', "return ($code);");
+ if (!$fn) {
+ rcube::raise_error(array(
+ 'code' => 505, 'type' => 'php',
+ 'file' => __FILE__, 'line' => __LINE__,
+ 'message' => "Expression parse error on: ($code)"), true, false);
+ continue;
+ }
+
+ $attrs[$lf] = $fn();
}
else {
// replace {attr} placeholders with concrete attribute values