Jump to content

question about the danger of eval


Go to solution Solved by kicken,

Recommended Posts

I have a home-rolled CMS that often sucks in HTML file fragments as the contents of an arbitrary block element on the current page.  When HTML fragments contain images the img link all too often breaks when directories (relative to the DOCUMENT_ROOT)  get moved around. 

 

My processor looks for back ticks in fragments.  If they exist it parses that sub-fragment and writes out a dynamic path to the current image using a _SESSION variable. So now, if images are stored relative to the current page I can move directories from here to there and everything still works.  Still displays.

 

  <img src="`$_SESSION['currentClickDirUrl'];`/hidden/someimage.jpg" alt="someimage"/>

 

...ends up using eval($cmd) to write out a dynamic image URL

 

    function processBackTics($str) {
        $ret = '';
        if(!strstr($str,'`'))
           return '';
 
        $pos1 = strpos($str, '`');
        $ret .= substr($str, 0, $pos1);
 
        $rest = substr($str, $pos1 + 1);
        $pos2 = strpos($rest, '`');
 
        $cmd = substr($str, $pos1 + 1, $pos2);
 
        if ($cmd != null) {
            ob_start();
            eval($cmd);
            $ret .= ob_get_contents();
            @ob_end_clean();
        }
 
        $rest = substr($rest, $pos2 + 1);
        if (strstr($rest, '`'))
            $ret .= $this->processBackTics($rest);
        else
            $ret .= $rest;
        return($ret);
    }
 
I think this code can never be evaluated unless it comes from a file_get_contents($path) on my server.   And I have lots of code to clean all incoming GET and POST parameters.
 
So.  Is this dangerous?  I've been running it for a good five years and never been hacked.  But I do have a low traffic non-ecommerce site.
 

 

 

Link to comment
https://forums.phpfreaks.com/topic/295178-question-about-the-danger-of-eval/
Share on other sites

  • Solution

It may not be dangerous per-say if you can guarantee it only ever runs your files and never anything submitted by another person.

 

It's still not good either. For what you mentioned as your needs, all you really need to do is implement a simple find and replace system.

<img src="{CURRENT_DIR}/hidden/someimage.jpg" alt="someimage">
$code = file_get_contents($file);
$code = str_replace('{CURRENT_DIR}', $_SESSION['currentClickDirUrl'], $code);
echo $code;
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.