From 4741d17c7777ed64b0d90b9265125a5dc0d69432 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Wed, 1 May 2013 13:56:35 +0200 Subject: Use create_function() instead of eval() --- CHANGELOG | 1 + program/lib/Roundcube/rcube_ldap.php | 15 ++++++++++++++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/CHANGELOG b/CHANGELOG index d3bbf5bfc..060fd9593 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,7 @@ CHANGELOG Roundcube Webmail =========================== +- Make PHP code eval() free, use create_function() - Add option to display email address together with a name in mail preview (#1488732) - Fix Reply-To header handling in Reply-All action (#1489037) - Fix so Sender: address is added to Cc: field on reply to all (#1489011) diff --git a/program/lib/Roundcube/rcube_ldap.php b/program/lib/Roundcube/rcube_ldap.php index 922c73568..26f46a0f6 100644 --- a/program/lib/Roundcube/rcube_ldap.php +++ b/program/lib/Roundcube/rcube_ldap.php @@ -1396,6 +1396,10 @@ class rcube_ldap extends rcube_addressbook */ protected function add_autovalues(&$attrs) { + if (empty($this->prop['autovalues'])) { + return; + } + $attrvals = array(); foreach ($attrs as $k => $v) { $attrvals['{'.$k.'}'] = is_array($v) ? $v[0] : $v; @@ -1406,7 +1410,16 @@ class rcube_ldap extends rcube_addressbook if (strpos($templ, '(') !== false) { // replace {attr} placeholders with (escaped!) attribute values to be safely eval'd $code = preg_replace('/\{\w+\}/', '', strtr($templ, array_map('addslashes', $attrvals))); - $attrs[$lf] = eval("return ($code);"); + $fn = create_function('', "return ($code);"); + if (!$fn) { + rcube::raise_error(array( + 'code' => 505, 'type' => 'php', + 'file' => __FILE__, 'line' => __LINE__, + 'message' => "Expression parse error on: ($code)"), true, false); + continue; + } + + $attrs[$lf] = $fn(); } else { // replace {attr} placeholders with concrete attribute values -- cgit v1.2.3