Changed the algorithm used in _reset_post_array() to no longer rely on eval(), plugging an arbitrary script execution hole
http://codeigniter.com/bug_tracker/bug/6068/
diff --git a/system/libraries/Form_validation.php b/system/libraries/Form_validation.php
index 7be93a1..0917532 100644
--- a/system/libraries/Form_validation.php
+++ b/system/libraries/Form_validation.php
@@ -416,45 +416,36 @@
}
else
{
- $post = '$_POST["';
+ // start with a reference
+ $post_ref =& $_POST;
+ // before we assign values, make a reference to the right POST key
if (count($row['keys']) == 1)
{
- $post .= current($row['keys']);
- $post .= '"]';
+ $post_ref =& $post_ref[current($row['keys'])];
}
else
{
- $i = 0;
foreach ($row['keys'] as $val)
{
- if ($i == 0)
- {
- $post .= $val.'"]';
- $i++;
- continue;
- }
-
- $post .= '["'.$val.'"]';
+ $post_ref =& $post_ref[$val];
}
}
-
+
if (is_array($row['postdata']))
- {
+ {
$array = array();
foreach ($row['postdata'] as $k => $v)
{
$array[$k] = $this->prep_for_form($v);
}
-
- $post .= ' = $array;';
+
+ $post_ref = $array;
}
else
- {
- $post .= ' = "'.$this->prep_for_form($row['postdata']).'";';
+ {
+ $post_ref = $this->prep_for_form($row['postdata']);
}
-
- eval($post);
}
}
}