Applications such as Tiny Tiny RSS continue to use the php-gettext library. Due this issue, they are are at risk of not getting included in next release of Debian and FreedomBox.
To address this, I have implemented a parser for the plurals expressions instead of using the eval() method as discussed in this bug as solution. This patch is under the same license as php-gettext (GPLv2 or higher).
Applications such as Tiny Tiny RSS continue to use the php-gettext library. Due this issue, they are are at risk of not getting included in next release of Debian and FreedomBox.
To address this, I have implemented a parser for the plurals expressions instead of using the eval() method as discussed in this bug as solution. This patch is under the same license as php-gettext (GPLv2 or higher).
- A simple operator-precedence parser that prioritizes simplicity and readability. Avoid using eval() for evaluating plural expressions. /bugs.launchpad .net/php- gettext/ +bug/1606184 /bugs.debian. org/851771
- Fixes CVE-2016-6175.
- Fixes upstream bug https:/
- Fixes Debian bug https:/
- Grammar for parsing code is same as the grammar for GNU gettext library: http:// git.savannah. gnu.org/ cgit/gettext. git/tree/ gettext- runtime/ intl/plural. y
- Extensive tests for various locales with help from Unicode's plurals rules. Tests for invalid syntax and expression parsing.
Please consider applying the patch and making a new release of php-gettext. Many thanks to the authors for the original implementation.