diff options
author | Thomas Bruederli <thomas@roundcube.net> | 2013-05-01 13:26:07 +0200 |
---|---|---|
committer | Thomas Bruederli <thomas@roundcube.net> | 2013-05-01 13:27:04 +0200 |
commit | 2d6dca47146d33be703cacc85cb76b28cfca8aff (patch) | |
tree | 4a4318b6bdc038460a0537ff40ded63f63452485 /program/lib | |
parent | 283ac978524b62383afaa784c4ec62ca4b96882f (diff) |
Escape user input values when used in eval()
Diffstat (limited to 'program/lib')
-rw-r--r-- | program/lib/Roundcube/rcube_ldap.php | 16 |
1 files changed, 9 insertions, 7 deletions
diff --git a/program/lib/Roundcube/rcube_ldap.php b/program/lib/Roundcube/rcube_ldap.php index 47e96c32b..922c73568 100644 --- a/program/lib/Roundcube/rcube_ldap.php +++ b/program/lib/Roundcube/rcube_ldap.php @@ -1403,13 +1403,15 @@ class rcube_ldap extends rcube_addressbook foreach ((array)$this->prop['autovalues'] as $lf => $templ) { if (empty($attrs[$lf])) { - // replace {attr} placeholders with concrete attribute values - $templ = preg_replace('/\{\w+\}/', '', strtr($templ, $attrvals)); - - if (strpos($templ, '(') !== false) - $attrs[$lf] = eval("return ($templ);"); - else - $attrs[$lf] = $templ; + if (strpos($templ, '(') !== false) { + // replace {attr} placeholders with (escaped!) attribute values to be safely eval'd + $code = preg_replace('/\{\w+\}/', '', strtr($templ, array_map('addslashes', $attrvals))); + $attrs[$lf] = eval("return ($code);"); + } + else { + // replace {attr} placeholders with concrete attribute values + $attrs[$lf] = preg_replace('/\{\w+\}/', '', strtr($templ, $attrvals)); + } } } } |