WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 5 years ago

#10650 closed defect (bug) (fixed)

eval() in wp-admin/includes/class-pclzip.php should be replaced

Reported by: Hans Spath Owned by: westi
Milestone: 2.9 Priority: normal
Severity: normal Version:
Component: Administration Keywords:
Focuses: Cc:

Description

On some systems eval() is disabled due to security reasons.

In wp-admin/includes/class-pclzip.php eval() is used several times like this:

      // ----- Call the callback
      // Here I do not use call_user_func() because I need to send a reference to the
      // header.
      eval('$v_result = '.$p_options[PCLZIP_CB_PRE_ADD].'(PCLZIP_CB_PRE_ADD, $v_local_header);');

It's true that passing references with call_user_func() is a problem, but you can use either

    $v_result = $p_options[PCLZIP_CB_PRE_ADD] (PCLZIP_CB_PRE_ADD, $v_local_header);

or

    $v_result = call_user_func_array($p_options[PCLZIP_CB_PRE_ADD], array(PCLZIP_CB_PRE_ADD, &$v_local_header));

instead.

Change History (3)

comment:1 westi5 years ago

  • Milestone changed from Unassigned to 2.9
  • Owner set to westi
  • Status changed from new to reviewing

comment:2 westi5 years ago

Looking into the best solution for this.

Trying to work with the upstream developer to get this changed.

comment:3 westi5 years ago

  • Resolution set to fixed
  • Status changed from reviewing to closed

(In [11993]) Update pclzip to 2.8.2 - Fixes #10650 and #10777.
Includes:

  • Removal of eval()s
  • Merge WordPress 64 bit fix upstream
Note: See TracTickets for help on using tickets.