Yep, I think we're clear on the "no suitable replacement" for eval. It's why I think ever using eval for something should be avoided and I'm surprised to see it here.
To me, this is not solved without removing that functionality. Hampering it is mere mitigation. I agree that #3 seems like it should be un-bypassable, but the thing you're trying to gate off is pretty dangerous and once this gets disclosed, anyone who didn't think to try leveraging that vulnerability will surely be on the case.
To me #2 is the minimum mitigation to even proceed, with default to off. Perhaps #2 where enabled gets you #3 would be better. Honestly, #1 is the approach I'd take. Any of the three will require users to modify their templates I think, so you might as well go for the gold.
Yep, I think we're clear on the "no suitable replacement" for eval. It's why I think ever using eval for something should be avoided and I'm surprised to see it here.
To me, this is not solved without removing that functionality. Hampering it is mere mitigation. I agree that #3 seems like it should be un-bypassable, but the thing you're trying to gate off is pretty dangerous and once this gets disclosed, anyone who didn't think to try leveraging that vulnerability will surely be on the case.
To me #2 is the minimum mitigation to even proceed, with default to off. Perhaps #2 where enabled gets you #3 would be better. Honestly, #1 is the approach I'd take. Any of the three will require users to modify their templates I think, so you might as well go for the gold.
Just MHO.