From d3da9c7d2a40d1550fa3f919d5d067f1daaf95f4 Mon Sep 17 00:00:00 2001 From: jim-p Date: Tue, 7 Feb 2017 14:30:04 -0500 Subject: Rather than setting the value directly, minimize exposure to eval() in update_config_field() from wizard.php by constructing a variable reference, then set the value using the reference rather than passing user input through eval(). Fixes #7230 --- src/usr/local/www/wizard.php | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/usr/local/www/wizard.php b/src/usr/local/www/wizard.php index a61ed0d..96fb5e6 100644 --- a/src/usr/local/www/wizard.php +++ b/src/usr/local/www/wizard.php @@ -165,6 +165,7 @@ if ($_POST && !$input_errors) { function update_config_field($field, $updatetext, $unset, $arraynum, $field_type) { global $config; $field_split = explode("->", $field); + $thisvar = null; foreach ($field_split as $f) { $field_conv .= "['" . $f . "']"; } @@ -188,8 +189,9 @@ function update_config_field($field, $updatetext, $unset, $arraynum, $field_type if ($field_type == "interfaces_selection") { $var = "\$config{$field_conv}"; $text = "if (isset({$var})) unset({$var});"; - $text .= "\$config" . $field_conv . " = \"" . $updatetext . "\";"; + $text .= "\$thisvar = &\$config" . $field_conv . ";"; eval($text); + $thisvar = $updatetext; return; } @@ -197,8 +199,9 @@ function update_config_field($field, $updatetext, $unset, $arraynum, $field_type $text = "unset(\$config" . $field_conv . ");"; eval($text); } - $text = "\$config" . $field_conv . " = \"" . addslashes($updatetext) . "\";"; + $text .= "\$thisvar = &\$config" . $field_conv . ";"; eval($text); + $thisvar = $updatetext; } $title = preg_replace("/pfSense/i", $g['product_name'], $pkg['step'][$stepid]['title']); -- cgit v1.1