Index: wp-includes/classes.php =================================================================== --- wp-includes/classes.php (revision 11201) +++ wp-includes/classes.php (working copy) @@ -214,9 +214,8 @@ // Trim the query of everything up to the '?'. $query = preg_replace("!^.+\?!", '', $query); - // Substitute the substring matches into the query. - eval("@\$query = \"" . addslashes($query) . "\";"); + $query = addslashes(WP_MatchesMapRegex::exec($query, $matches)); $this->matched_query = $query; @@ -1592,4 +1591,93 @@ } } +/** + * WP_MatchesMapRegex + * + * helper class to prevent the usage of eval to replace $matches[] in query strings. + */ +class WP_MatchesMapRegex { + /** + * store for matches + * + * @access private + * @var array + */ + var $_matches; + + /** + * store for mapping result + * + * @access public + * @var string + */ + var $output; + + /** + * subject to perform mapping on (query string containing $matches[] references + * + * @access private + * @var string + */ + var $_subject; + + /** + * regexp pattern to match $matches[] references + * + * @var string + */ + var $_pattern = '(\$matches\[[1-9]+[0-9]*\])'; // magic number + + /** + * constructor + * + * @param string $subject subject if regex + * @param array $matches data to use in map + * @return self + */ + function WP_MatchesMapRegex($subject, $matches) { + $this->_subject = $subject; + $this->_matches = $matches; + $this->output = $this->_map(); + } + + /** + * Substitute substring matches in subject. + * + * static helper function to ease use + * + * @access public + * @param string $subject subject + * @param array $matches data used for subsitution + * @return string + */ + function exec($subject, $matches) { + $oSelf =& new WP_MatchesMapRegex($subject, $matches); + return $oSelf->output; + } + + /** + * do the actual mapping + * + * @access private + * @return string + */ + function _map() { + $callback = array(&$this, 'callback'); + return preg_replace_callback($this->_pattern, $callback, $this->_subject); + } + + /** + * preg_replace_callback hook + * + * @access public + * @param array $matches preg_replace regexp matches + * @return string + */ + function callback($matches) { + return $this->_matches[intval(substr($matches[0], 9, -1))]; + } + +} + ?> Index: wp-includes/rewrite.php =================================================================== --- wp-includes/rewrite.php (revision 11201) +++ wp-includes/rewrite.php (working copy) @@ -299,7 +299,7 @@ $query = preg_replace("!^.+\?!", '', $query); // Substitute the substring matches into the query. - eval("\$query = \"" . addslashes($query) . "\";"); + $query = addslashes(WP_MatchesMapRegex::exec($query, $matches)); // Filter out non-public query vars global $wp; parse_str($query, $query_vars);