Jump to content

question about the danger of eval


pittendrigh

Recommended Posts

I have a home-rolled CMS that often sucks in HTML file fragments as the contents of an arbitrary block element on the current page.  When HTML fragments contain images the img link all too often breaks when directories (relative to the DOCUMENT_ROOT)  get moved around. 

 

My processor looks for back ticks in fragments.  If they exist it parses that sub-fragment and writes out a dynamic path to the current image using a _SESSION variable. So now, if images are stored relative to the current page I can move directories from here to there and everything still works.  Still displays.

 

  <img src="`$_SESSION['currentClickDirUrl'];`/hidden/someimage.jpg" alt="someimage"/>

 

...ends up using eval($cmd) to write out a dynamic image URL

 

    function processBackTics($str) {
        $ret = '';
        if(!strstr($str,'`'))
           return '';
 
        $pos1 = strpos($str, '`');
        $ret .= substr($str, 0, $pos1);
 
        $rest = substr($str, $pos1 + 1);
        $pos2 = strpos($rest, '`');
 
        $cmd = substr($str, $pos1 + 1, $pos2);
 
        if ($cmd != null) {
            ob_start();
            eval($cmd);
            $ret .= ob_get_contents();
            @ob_end_clean();
        }
 
        $rest = substr($rest, $pos2 + 1);
        if (strstr($rest, '`'))
            $ret .= $this->processBackTics($rest);
        else
            $ret .= $rest;
        return($ret);
    }
 
I think this code can never be evaluated unless it comes from a file_get_contents($path) on my server.   And I have lots of code to clean all incoming GET and POST parameters.
 
So.  Is this dangerous?  I've been running it for a good five years and never been hacked.  But I do have a low traffic non-ecommerce site.
 

 

 

Link to comment
https://forums.phpfreaks.com/topic/295178-question-about-the-danger-of-eval/
Share on other sites

It may not be dangerous per-say if you can guarantee it only ever runs your files and never anything submitted by another person.

 

It's still not good either. For what you mentioned as your needs, all you really need to do is implement a simple find and replace system.

<img src="{CURRENT_DIR}/hidden/someimage.jpg" alt="someimage">
$code = file_get_contents($file);
$code = str_replace('{CURRENT_DIR}', $_SESSION['currentClickDirUrl'], $code);
echo $code;

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.