From 029d18f13bcf01aa2f1f08dbdfc6400c081bf7cb Mon Sep 17 00:00:00 2001
From: Andy Wermke <andy@dev.next-step-software.com>
Date: Thu, 04 Apr 2013 10:08:53 -0400
Subject: [PATCH] Replaced nasty eval() expressions.

---
 program/include/rcmail_output_html.php |   35 +++++++++++++++++++++++++++++++++--
 1 files changed, 33 insertions(+), 2 deletions(-)

diff --git a/program/include/rcmail_output_html.php b/program/include/rcmail_output_html.php
index 1290e17..795c0b3 100644
--- a/program/include/rcmail_output_html.php
+++ b/program/include/rcmail_output_html.php
@@ -722,7 +722,7 @@
      */
     protected function check_condition($condition)
     {
-        return eval("return (".$this->parse_expression($condition).");");
+        return $this->eval_expression($condition);
     }
 
 
@@ -770,6 +770,37 @@
                 "\$this->browser->{'\\1'}",
                 $this->template_name,
             ),
+            $expression);
+    }
+
+    protected function eval_expression ($expression) {
+        return preg_replace_callback(
+            array(
+                '/session:([a-z0-9_]+)/i',
+                '/config:([a-z0-9_]+)(:([a-z0-9_]+))?/i',
+                '/env:([a-z0-9_]+)/i',
+                '/request:([a-z0-9_]+)/i',
+                '/cookie:([a-z0-9_]+)/i',
+                '/browser:([a-z0-9_]+)/i',
+                '/template:name/i',
+            ),
+            function($match) {
+                if(preg_match('/session:([a-z0-9_]+)/i', $match, $matches)) {
+                    return $_SESSION[$matches[1]];
+                } else if(preg_match('/config:([a-z0-9_]+)(:([a-z0-9_]+))?/i', $match, $matches)) {
+                    return $this->app->config->get($matches[1],rcube_utils::get_boolean($matches[3]));
+                } else if(preg_match('/env:([a-z0-9_]+)/i', $match, $matches)) {
+                    return $this->env[$matches[1]];
+                } else if(preg_match('/request:([a-z0-9_]+)/i', $match, $matches)) {
+                    return rcube_utils::get_input_value($matches[1], rcube_utils::INPUT_GPC);
+                } else if(preg_match('/cookie:([a-z0-9_]+)/i', $match, $matches)) {
+                    return $_COOKIE[$matches[1]];
+                } else if(preg_match('/browser:([a-z0-9_]+)/i', $match, $matches)) {
+                    return $this->browser->{$matches[1]};
+                } else if(preg_match('/template:name/i', $match, $matches)) {
+                    return $this->template_name;
+                }
+            },
             $expression);
     }
 
@@ -955,7 +986,7 @@
             // return code for a specified eval expression
             case 'exp':
                 $value = $this->parse_expression($attrib['expression']);
-                return eval("return html::quote($value);");
+                return html::quote( $this->eval_expression($attrib['expression']) );
 
             // return variable
             case 'var':

--
Gitblit v1.9.1