Escaping of config and language strings
Posted: Tue Jul 17, 2012 7:43 pm
Hello Community,
while trying to implement encrypted passwords, I've stumbled again across the wrong escaping of config and language strings. I've reported this a while ago for the pluginloader, but this time I had similar problems in the core. cmsimple/adm.php line 327:
IMO too simple a solution: just remove all double-quotes as they would corrupt the string -- and hope that the user won't enter a backslash (which will often eat up the next character) or even a $-sign (which will eat up the following characters, or in the worst case insert the value of a variable).
Why not simply use addcslashes()?
This $charlist should cater for all possibilities, and so I would prefer it over my suggestion in the thread about the pluginloader's escaping.
IMO this should have been already fixed.
Christoph
while trying to implement encrypted passwords, I've stumbled again across the wrong escaping of config and language strings. I've reported this a while ago for the pluginloader, but this time I had similar problems in the core. cmsimple/adm.php line 327:
Code: Select all
$text .= '$' . $a . '[\'' . $k1 . '\'][\'' . $k2 . '\']="' . preg_replace("/\"/s", "", $GLOBALS[$a][$k1][$k2]) . '";' . "\n"; Why not simply use addcslashes()?
Code: Select all
addcslashes($GLOBALS[$a][$k1][$k2], "\0..\37\"\$\\") IMO this should have been already fixed.
Christoph