eval function check

MattF · 2009-07-10 10:55:20

Just wondered if some could cast their eye over this and check that it's not doing anything silly, dangerous or suchlike, or as to whether there's any extra sanitisation I should include.

function run_code_include($file)
{
        if (preg_match_all('#code_include\(\((.+?)\)\)#', $file, $code))
        {
                array_map('escapeshellcmd', $code[1]);

                foreach ($code[1] as $key => $inc_code)
                {
                        ob_start();
                        eval(utf8_trim($inc_code));
                        $inc_code = ob_get_contents();
                        ob_end_clean();

                        $file = str_replace($code[0][$key], $inc_code, $file);
                }
        }
        return $file;
}

It's a function to execute code includes in template files, (the file is read in via file_get_contents), and replace the template include with the output of the include.

Cheers.

Last edited by MattF (2009-07-11 00:45:40)

twohawks · 2009-07-10 19:30:10

Probably already happening with what is already built into FluxBB or something you are already doing yourself (I am not the genious)..., but because this looks similar to some code I created for doing a similar thing on some of my other web-creations I thought I would mention....

.... I use some session managment code for directly checking so those files (and/or their code) cannot be accessed/called from outside the webserver or real site pages. Something like, the caller file sets up a check, and the included file runs a self, and back, check (if that makes sense). I cannot remember off-hand (been a while since I visited the code), but I seem to remember discovering something about ...because of the way I was reading/streaming the file data in, there was a way for schmo-hacker to figure out how to access it directly without relying on my other pages' code.

Probably not needed here as Flux runs with cookies and sessions and all that already, but it just came to mind when I saw this.

PS: ...and not being the genious php coder I cannot say if my approach is good or bad... I just know its what I do and it works well for me ;^()

Last edited by twohawks (2009-07-10 19:36:06)

MattF · 2009-07-10 20:23:48

twohawks wrote:

.... I use some session managment code for directly checking so those files (and/or their code) cannot be accessed/called from outside the webserver or real site pages.

It should be safe in that regard. The functions file just returns if the config file isn't loaded and that function is nested within another function. Must admit though, especially with my dislike of eval, I'm becoming more and more tempted to create an include files dir for the templates and change it to an include instead of eval for files in that dir. From the testing I've been doing, eval does also seem to be awfully quirky. It seems to return non-fatal errors on perfectly legitimate code constructs and suchlike. I'll probably be using include instead of eval, before the day is out. Same function but with that single difference.

Last edited by MattF (2009-07-11 00:44:21)

twohawks · 2009-07-10 23:43:00

Hmmm, oh yeah, and I wasn't really using eval to pull in whole files either.
It would be really interesting to hear from one of our (other) experts as to why this is (probably?) so dangerous for you to use eval for this !

Last edited by twohawks (2009-07-10 23:43:17)

Forums

#1 2009-07-10 10:55:20

eval function check

#2 2009-07-10 19:30:10

Re: eval function check

#3 2009-07-10 20:23:48

Re: eval function check

#4 2009-07-10 23:43:00

Re: eval function check

Board footer