From 63eeae3357b94edfdd5b652fd97fe878403be9f8 Mon Sep 17 00:00:00 2001
From: Derek Jones <derek.jones@ellislab.com>
Date: Tue, 10 Feb 2009 19:08:56 +0000
Subject: Changed the algorithm used in _reset_post_array() to no longer rely
 on eval(), plugging an arbitrary script execution hole

http://codeigniter.com/bug_tracker/bug/6068/
---
 system/libraries/Form_validation.php | 31 +++++++++++--------------------
 user_guide/changelog.html            |  1 +
 2 files changed, 12 insertions(+), 20 deletions(-)

diff --git a/system/libraries/Form_validation.php b/system/libraries/Form_validation.php
index 7be93a192..09175328c 100644
--- a/system/libraries/Form_validation.php
+++ b/system/libraries/Form_validation.php
@@ -416,45 +416,36 @@ class CI_Form_validation {
 				}
 				else
 				{
-					$post = '$_POST["';
+					// start with a reference
+					$post_ref =& $_POST;
 					
+					// before we assign values, make a reference to the right POST key
 					if (count($row['keys']) == 1)
 					{
-						$post .= current($row['keys']);
-						$post .= '"]';
+						$post_ref =& $post_ref[current($row['keys'])];
 					}
 					else
 					{
-						$i = 0;
 						foreach ($row['keys'] as $val)
 						{
-							if ($i == 0)
-							{
-								$post .= $val.'"]';
-								$i++;
-								continue;
-							}
-						
-							$post .= '["'.$val.'"]';
+							$post_ref =& $post_ref[$val];
 						}
 					}
-					
+
 					if (is_array($row['postdata']))
-					{					
+					{
 						$array = array();
 						foreach ($row['postdata'] as $k => $v)
 						{
 							$array[$k] = $this->prep_for_form($v);
 						}
-						
-						$post .= ' = $array;';
+
+						$post_ref = $array;
 					}
 					else
-					{						
-						$post .= ' = "'.$this->prep_for_form($row['postdata']).'";';
+					{
+						$post_ref = $this->prep_for_form($row['postdata']);
 					}
-
-					eval($post);
 				}
 			}
 		}
diff --git a/user_guide/changelog.html b/user_guide/changelog.html
index 457db56a1..63eb75ccd 100644
--- a/user_guide/changelog.html
+++ b/user_guide/changelog.html
@@ -64,6 +64,7 @@ SVN Revision: </p>
 <ul>
 	<li>Libraries
 		<ul>
+			<li>Fixed an arbitrary script execution security flaw (#6068) in the Form Validation library (thanks to hkk)</li>
 			<li>Changed default current page indicator in the Pagination library to use &lt;strong&gt; instead of &lt;b&gt;</li>
 			<li>A "HTTP/1.1 400 Bad Request" header is now sent when disallowed characters are encountered.</li>
 			<li>Added &lt;big&gt;, &lt;small&gt;, &lt;q&gt;, and &lt;tt&gt; to the Typography parser's inline elements.</li>
-- 
cgit v1.2.3-24-g4f1b