diff options
author | jim-p <jimp@pfsense.org> | 2017-02-07 14:30:04 -0500 |
---|---|---|
committer | jim-p <jimp@pfsense.org> | 2017-02-07 14:31:11 -0500 |
commit | 2c5c799a646a014a7729bb834d0f8a92df0f77d0 (patch) | |
tree | cab9e3be16721b076954986a4d8f2596427c9eb4 | |
parent | 4cef56bf20314009ad83bf747901ed1adeda8c70 (diff) | |
download | pfsense-2c5c799a646a014a7729bb834d0f8a92df0f77d0.zip pfsense-2c5c799a646a014a7729bb834d0f8a92df0f77d0.tar.gz |
Rather than setting the value directly, minimize exposure to eval() in update_config_field() from wizard.php by constructing a variable reference, then set the value using the reference rather than passing user input through eval(). Fixes #7230
-rw-r--r-- | src/usr/local/www/wizard.php | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/src/usr/local/www/wizard.php b/src/usr/local/www/wizard.php index e7727c2..c3ab379 100644 --- a/src/usr/local/www/wizard.php +++ b/src/usr/local/www/wizard.php @@ -165,6 +165,7 @@ if ($_POST && !$input_errors) { function update_config_field($field, $updatetext, $unset, $arraynum, $field_type) { global $config; $field_split = explode("->", $field); + $thisvar = null; foreach ($field_split as $f) { $field_conv .= "['" . $f . "']"; } @@ -188,8 +189,9 @@ function update_config_field($field, $updatetext, $unset, $arraynum, $field_type if ($field_type == "interfaces_selection") { $var = "\$config{$field_conv}"; $text = "if (isset({$var})) unset({$var});"; - $text .= "\$config" . $field_conv . " = \"" . $updatetext . "\";"; + $text .= "\$thisvar = &\$config" . $field_conv . ";"; eval($text); + $thisvar = $updatetext; return; } @@ -197,8 +199,9 @@ function update_config_field($field, $updatetext, $unset, $arraynum, $field_type $text = "unset(\$config" . $field_conv . ");"; eval($text); } - $text = "\$config" . $field_conv . " = \"" . addslashes($updatetext) . "\";"; + $text .= "\$thisvar = &\$config" . $field_conv . ";"; eval($text); + $thisvar = $updatetext; } $title = preg_replace("/pfSense/i", $g['product_name'], $pkg['step'][$stepid]['title']); |