diff options
| author | Meik Sievertsen <acydburn@phpbb.com> | 2006-11-19 21:00:48 +0000 |
|---|---|---|
| committer | Meik Sievertsen <acydburn@phpbb.com> | 2006-11-19 21:00:48 +0000 |
| commit | 6a082426840164a3c8187559dddf3ab777b958fa (patch) | |
| tree | fd38a30c9f893e71cdb9c5cec3a972036ef53131 /phpBB/includes/functions_module.php | |
| parent | f78289033236a4c108aae5ad8315c60e5f7dc19b (diff) | |
| download | forums-6a082426840164a3c8187559dddf3ab777b958fa.tar forums-6a082426840164a3c8187559dddf3ab777b958fa.tar.gz forums-6a082426840164a3c8187559dddf3ab777b958fa.tar.bz2 forums-6a082426840164a3c8187559dddf3ab777b958fa.tar.xz forums-6a082426840164a3c8187559dddf3ab777b958fa.zip | |
some tiny fixes.
git-svn-id: file:///svn/phpbb/trunk@6614 89ea8834-ac86-4346-8a33-228a782c2dd0
Diffstat (limited to 'phpBB/includes/functions_module.php')
| -rw-r--r-- | phpBB/includes/functions_module.php | 33 |
1 files changed, 31 insertions, 2 deletions
diff --git a/phpBB/includes/functions_module.php b/phpBB/includes/functions_module.php index 89dda74700..556a4adaba 100644 --- a/phpBB/includes/functions_module.php +++ b/phpBB/includes/functions_module.php @@ -213,7 +213,6 @@ class p_master /** * Check module authorisation - * @todo Have a look at the eval statement and replace with other code... */ function module_auth($module_auth) { @@ -227,8 +226,38 @@ class p_master return true; } + // With the code below we make sure only those elements get eval'd we really want to be checked + preg_match_all('/(?: + "[^"\\\\]*(?:\\\\.[^"\\\\]*)*" | + \'[^\'\\\\]*(?:\\\\.[^\'\\\\]*)*\' | + [(),] | + [^\s(),]+)/x', $module_auth, $match); + + $tokens = $match[0]; + for ($i = 0, $size = sizeof($tokens); $i < $size; $i++) + { + $token = &$tokens[$i]; + + switch ($token) + { + case ')': + case '(': + case '&&': + case '||': + break; + + default: + if (!preg_match('#(?:acl_([a-z_]+)(,\$id)?)|(?:\$id)|(?:aclf_([a-z_]+))|(?:cfg_([a-z_]+))#', $token)) + { + $token = ''; + } + break; + } + } + $module_auth = implode(' ', $tokens); + $is_auth = false; - eval('$is_auth = (int) (' . preg_replace(array('#acl_([a-z_]+)(,\$id)?#', '#\$id#', '#aclf_([a-z_]+)#', '#cfg_([a-z_]+)#'), array('(int) $auth->acl_get("\\1"\\2)', '(int) $this->acl_forum_id', '(int) $auth->acl_getf_global("\\1")', '(int) $config["\\1"]'), $module_auth) . ');'); + eval('$is_auth = (int) (' . preg_replace(array('#acl_([a-z_]+)(,\$id)?#', '#\$id#', '#aclf_([a-z_]+)#', '#cfg_([a-z_]+)#'), array('(int) $auth->acl_get(\'\\1\'\\2)', '(int) $this->acl_forum_id', '(int) $auth->acl_getf_global(\'\\1\')', '(int) $config[\'\\1\']'), $module_auth) . ');'); return $is_auth; } |