Rather than setting the value directly, minimize exposure to eval() in update_config_field() from wizard.php by constructing a variable reference, then set the value using the reference rather than passing user input through eval(). Fixes #7230

1 files changed, 5 insertions, 2 deletions

diff --git a/src/usr/local/www/wizard.php b/src/usr/local/www/wizard.php
index e7727c2..c3ab379 100644
--- a/src/usr/local/www/wizard.php
+++ b/src/usr/local/www/wizard.php
@@ -165,6 +165,7 @@ if ($_POST && !$input_errors) {
 function update_config_field($field, $updatetext, $unset, $arraynum, $field_type) {
 	global $config;
 	$field_split = explode("->", $field);
+	$thisvar = null;
 	foreach ($field_split as $f) {
 		$field_conv .= "['" . $f . "']";
 	}
@@ -188,8 +189,9 @@ function update_config_field($field, $updatetext, $unset, $arraynum, $field_type
 	if ($field_type == "interfaces_selection") {
 		$var = "\$config{$field_conv}";
 		$text = "if (isset({$var})) unset({$var});";
-		$text .= "\$config" . $field_conv . " = \"" . $updatetext . "\";";
+		$text .= "\$thisvar = &\$config" . $field_conv . ";";
 		eval($text);
+		$thisvar = $updatetext;
 		return;
 	}
 
@@ -197,8 +199,9 @@ function update_config_field($field, $updatetext, $unset, $arraynum, $field_type
 		$text = "unset(\$config" . $field_conv . ");";
 		eval($text);
 	}
-	$text = "\$config" . $field_conv . " = \"" . addslashes($updatetext) . "\";";
+	$text .= "\$thisvar = &\$config" . $field_conv . ";";
 	eval($text);
+	$thisvar = $updatetext;
 }
 
 $title	   = preg_replace("/pfSense/i", $g['product_name'], $pkg['step'][$stepid]['title']);