[pmwiki-users] MarkupExpressionsExtensions

Petko Yotov 5ko at free.fr
Tue Apr 17 02:56:32 CDT 2007


On Tuesday 17 April 2007 09:20, Hans wrote:
> Monday, April 16, 2007, 3:00:34 PM, The wrote:
> > 5) As far as Han's concern about using eval in the math function, I'm
> > pretty sure the function's pattern matching check on the input value
> > will eliminate any possible risk. It is a very nice, concise, and
> > functional bit of code--and it's been asked for by several people over
> > the last few months. Of course, if someone comes up with a better
> > solution, I'd be happy to see it changed.
>
> I would really like someone else's opinion on this.
>
> Is the math function safe?
>
>   ~Hans

We are talking about the Cookbook/MarkupExpressionsExtensions recipe right?

It depends.

It is safe to not break anything existant, neither reveal private information, 
as it allows the eval'd string to contain only numbers and operators. No PHP 
function can be executed, no internal variable can be printed.

It is not safe because if the expression is not mathematically correct, it 
will however try to execute it, and this will result in a Fatal Error. Try 
with
   {(math '12+(*')}
But you can tell your users not to write such incorrect expressions.

There is a math eval class, while much more complete and complicated (deals 
even with internal variables and functions) it is reviewed by a community of 
php experts and is probably secure: 
http://www.phpclasses.org/browse/package/2695.html

There are also simpler than the class functions in the PHP manual at 
http://php.net/eval but both of them will die on an incorrect expression.

Yeah, evaluating user-input code is a big deal, should be done right or not at 
all.

Petko




More information about the pmwiki-users mailing list