Use of eval too unrestrictive
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
php-gettext |
Triaged
|
Critical
|
Данило Шеган |
Bug Description
php-gettext code that parses the plural forms header relies on eval() and only filters out some known-bad characters before passing the value from a MO file in directly to eval().
It was assumed that PO and MO files would come from trusted translators, without any attempts to potentially exploit the service being translated. While there was still no case where this has been exploited, we should move to the same parsing logic gettext C library uses:
* http://
* http://
* http://
This has been reported by Jean-Marie Bourbon as affecting NagVis, which has since fixed it by commenting out all the plural forms code: https:/
Jean-Marie was also kind enough to start a CVE 2016-6175 for this issue.
CVE References
description: | updated |
information type: | Private Security → Public Security |
Removing usage of eval() was one of reasons why we've forked php-gettext at phpMyAdmin, see https:/ /github. com/phpmyadmin/ motranslator/. It is not a drop in replacement, but can provide compatible API.