diff options
author | Derek Jones <derek.jones@ellislab.com> | 2009-02-10 20:08:56 +0100 |
---|---|---|
committer | Derek Jones <derek.jones@ellislab.com> | 2009-02-10 20:08:56 +0100 |
commit | 63eeae3357b94edfdd5b652fd97fe878403be9f8 (patch) | |
tree | a02daec6f2111d8ce605bbc00655f7bba0bc1a6d /system | |
parent | 0b2145f96b6c05aefb51cccb643d203b83a0d761 (diff) |
Changed the algorithm used in _reset_post_array() to no longer rely on eval(), plugging an arbitrary script execution hole
http://codeigniter.com/bug_tracker/bug/6068/
Diffstat (limited to 'system')
-rw-r--r-- | system/libraries/Form_validation.php | 31 |
1 files changed, 11 insertions, 20 deletions
diff --git a/system/libraries/Form_validation.php b/system/libraries/Form_validation.php index 7be93a192..09175328c 100644 --- a/system/libraries/Form_validation.php +++ b/system/libraries/Form_validation.php @@ -416,45 +416,36 @@ class CI_Form_validation { } else { - $post = '$_POST["'; + // start with a reference + $post_ref =& $_POST; + // before we assign values, make a reference to the right POST key if (count($row['keys']) == 1) { - $post .= current($row['keys']); - $post .= '"]'; + $post_ref =& $post_ref[current($row['keys'])]; } else { - $i = 0; foreach ($row['keys'] as $val) { - if ($i == 0) - { - $post .= $val.'"]'; - $i++; - continue; - } - - $post .= '["'.$val.'"]'; + $post_ref =& $post_ref[$val]; } } - + if (is_array($row['postdata'])) - { + { $array = array(); foreach ($row['postdata'] as $k => $v) { $array[$k] = $this->prep_for_form($v); } - - $post .= ' = $array;'; + + $post_ref = $array; } else - { - $post .= ' = "'.$this->prep_for_form($row['postdata']).'";'; + { + $post_ref = $this->prep_for_form($row['postdata']); } - - eval($post); } } } |