summaryrefslogtreecommitdiffstats
path: root/system
diff options
context:
space:
mode:
authorDerek Jones <derek.jones@ellislab.com>2009-02-10 20:08:56 +0100
committerDerek Jones <derek.jones@ellislab.com>2009-02-10 20:08:56 +0100
commit63eeae3357b94edfdd5b652fd97fe878403be9f8 (patch)
treea02daec6f2111d8ce605bbc00655f7bba0bc1a6d /system
parent0b2145f96b6c05aefb51cccb643d203b83a0d761 (diff)
Changed the algorithm used in _reset_post_array() to no longer rely on eval(), plugging an arbitrary script execution hole
http://codeigniter.com/bug_tracker/bug/6068/
Diffstat (limited to 'system')
-rw-r--r--system/libraries/Form_validation.php31
1 files changed, 11 insertions, 20 deletions
diff --git a/system/libraries/Form_validation.php b/system/libraries/Form_validation.php
index 7be93a192..09175328c 100644
--- a/system/libraries/Form_validation.php
+++ b/system/libraries/Form_validation.php
@@ -416,45 +416,36 @@ class CI_Form_validation {
}
else
{
- $post = '$_POST["';
+ // start with a reference
+ $post_ref =& $_POST;
+ // before we assign values, make a reference to the right POST key
if (count($row['keys']) == 1)
{
- $post .= current($row['keys']);
- $post .= '"]';
+ $post_ref =& $post_ref[current($row['keys'])];
}
else
{
- $i = 0;
foreach ($row['keys'] as $val)
{
- if ($i == 0)
- {
- $post .= $val.'"]';
- $i++;
- continue;
- }
-
- $post .= '["'.$val.'"]';
+ $post_ref =& $post_ref[$val];
}
}
-
+
if (is_array($row['postdata']))
- {
+ {
$array = array();
foreach ($row['postdata'] as $k => $v)
{
$array[$k] = $this->prep_for_form($v);
}
-
- $post .= ' = $array;';
+
+ $post_ref = $array;
}
else
- {
- $post .= ' = "'.$this->prep_for_form($row['postdata']).'";';
+ {
+ $post_ref = $this->prep_for_form($row['postdata']);
}
-
- eval($post);
}
}
}