diff options
| author | Derek Jones <derek.jones@ellislab.com> | 2009-02-10 20:08:56 +0100 |
|---|---|---|
| committer | Derek Jones <derek.jones@ellislab.com> | 2009-02-10 20:08:56 +0100 |
| commit | 63eeae3357b94edfdd5b652fd97fe878403be9f8 (patch) | |
| tree | a02daec6f2111d8ce605bbc00655f7bba0bc1a6d | |
| parent | 0b2145f96b6c05aefb51cccb643d203b83a0d761 (diff) | |
Changed the algorithm used in _reset_post_array() to no longer rely on eval(), plugging an arbitrary script execution hole
http://codeigniter.com/bug_tracker/bug/6068/
| -rw-r--r-- | system/libraries/Form_validation.php | 31 | ||||
| -rw-r--r-- | user_guide/changelog.html | 1 |
2 files changed, 12 insertions, 20 deletions
diff --git a/system/libraries/Form_validation.php b/system/libraries/Form_validation.php index 7be93a192..09175328c 100644 --- a/system/libraries/Form_validation.php +++ b/system/libraries/Form_validation.php @@ -416,45 +416,36 @@ class CI_Form_validation { } else { - $post = '$_POST["'; + // start with a reference + $post_ref =& $_POST; + // before we assign values, make a reference to the right POST key if (count($row['keys']) == 1) { - $post .= current($row['keys']); - $post .= '"]'; + $post_ref =& $post_ref[current($row['keys'])]; } else { - $i = 0; foreach ($row['keys'] as $val) { - if ($i == 0) - { - $post .= $val.'"]'; - $i++; - continue; - } - - $post .= '["'.$val.'"]'; + $post_ref =& $post_ref[$val]; } } - + if (is_array($row['postdata'])) - { + { $array = array(); foreach ($row['postdata'] as $k => $v) { $array[$k] = $this->prep_for_form($v); } - - $post .= ' = $array;'; + + $post_ref = $array; } else - { - $post .= ' = "'.$this->prep_for_form($row['postdata']).'";'; + { + $post_ref = $this->prep_for_form($row['postdata']); } - - eval($post); } } } diff --git a/user_guide/changelog.html b/user_guide/changelog.html index 457db56a1..63eb75ccd 100644 --- a/user_guide/changelog.html +++ b/user_guide/changelog.html @@ -64,6 +64,7 @@ SVN Revision: </p> <ul> <li>Libraries <ul> + <li>Fixed an arbitrary script execution security flaw (#6068) in the Form Validation library (thanks to hkk)</li> <li>Changed default current page indicator in the Pagination library to use <strong> instead of <b></li> <li>A "HTTP/1.1 400 Bad Request" header is now sent when disallowed characters are encountered.</li> <li>Added <big>, <small>, <q>, and <tt> to the Typography parser's inline elements.</li> |