r79264 MediaWiki - Code Review archive

Repository:	MediaWiki
Revision:	< r79263‎ \| r79264 \| r79265 >
Date:	16:57, 30 December 2010
Author:	platonides
Status:	ok
Tags:
Comment:	Poison eval and create_function The required file may contain only defines, so don't short-circuit.
Modified paths:	/trunk/tools/code-utils/check-vars.php (modified) (history)

Diff [purge]

Index: trunk/tools/code-utils/check-vars.php
—	—	@@ -71,6 +71,8 @@
72	72	static $poisonedFunctions = array(
73	73	'addslashes' => 'Replace with Database::addQuotes/strencode',
74	74	'mysql_escape_string' => 'Replace with Database::addQuotes/strencode',
	75	+ 'create_function' => 'create_function should be avoided. See http://www.mediawiki.org/wiki/Security_for_developers#Dynamic_code_generation',
	76	+ 'eval' => 'eval should be avoided. See r78046', # eval.php is magically not listed for not containing any function. Should get an exception if it starts being parsed.
75	77	);
76	78
77	79	protected $generateDeprecatedList = false;
—	—	@@ -555,7 +557,7 @@
556	558	$this->mConstants = array_merge( $this->mConstants, self::$mRequireKnownConstants[$requirePath] );
557	559	} else {
558	560	$newCheck = new CheckVars;
559		~~- $newCheck->load( $requirePath );~~
	561	+ $newCheck->load( $requirePath, false );
560	562	$newCheck->execute();
561	563	/* Get the classes defined there */
562	564	$this->mKnownFileClasses = array_merge( $this->mKnownFileClasses, $newCheck->mKnownFileClasses );

20:58, 15 April 2011 Reedy (talk | contribs) changed the status of r79264 [removed: new added: ok]