From 4741d17c7777ed64b0d90b9265125a5dc0d69432 Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Wed, 01 May 2013 07:56:35 -0400
Subject: [PATCH] Use create_function() instead of eval()
---
CHANGELOG | 1 +
program/lib/Roundcube/rcube_ldap.php | 15 ++++++++++++++-
2 files changed, 15 insertions(+), 1 deletions(-)
diff --git a/CHANGELOG b/CHANGELOG
index d3bbf5b..060fd95 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,6 +1,7 @@
CHANGELOG Roundcube Webmail
===========================
+- Make PHP code eval() free, use create_function()
- Add option to display email address together with a name in mail preview (#1488732)
- Fix Reply-To header handling in Reply-All action (#1489037)
- Fix so Sender: address is added to Cc: field on reply to all (#1489011)
diff --git a/program/lib/Roundcube/rcube_ldap.php b/program/lib/Roundcube/rcube_ldap.php
index 922c735..26f46a0 100644
--- a/program/lib/Roundcube/rcube_ldap.php
+++ b/program/lib/Roundcube/rcube_ldap.php
@@ -1396,6 +1396,10 @@
*/
protected function add_autovalues(&$attrs)
{
+ if (empty($this->prop['autovalues'])) {
+ return;
+ }
+
$attrvals = array();
foreach ($attrs as $k => $v) {
$attrvals['{'.$k.'}'] = is_array($v) ? $v[0] : $v;
@@ -1406,7 +1410,16 @@
if (strpos($templ, '(') !== false) {
// replace {attr} placeholders with (escaped!) attribute values to be safely eval'd
$code = preg_replace('/\{\w+\}/', '', strtr($templ, array_map('addslashes', $attrvals)));
- $attrs[$lf] = eval("return ($code);");
+ $fn = create_function('', "return ($code);");
+ if (!$fn) {
+ rcube::raise_error(array(
+ 'code' => 505, 'type' => 'php',
+ 'file' => __FILE__, 'line' => __LINE__,
+ 'message' => "Expression parse error on: ($code)"), true, false);
+ continue;
+ }
+
+ $attrs[$lf] = $fn();
}
else {
// replace {attr} placeholders with concrete attribute values
--
Gitblit v1.9.1