Why does your code use PHP functions deemed dangerous such as eval()?

  • Resolved Jarrod Whitley

    (@jarrodwhitley0518)


    7 years, 3 months ago

    After our site was hacked I began a review of our codebase searching for potential vulnerabilities. I found a list of php functions that considered to be dangerous in that they create vulnerabilities.http://php.net/manual/en/function.eval.php

    I found one of those functions “eval()” in /wp-content/plugins/wp-simple-firewall/src/lib/vendor/twig/lib/Twig/Environment.php

    Rasmus Lerdorf, the BDFL of PHP said “If eval() is the answer, you’re almost certainly asking the wrong question.”

    So finding the use of eval() in your code is greatly concerning. Can you please explain why I should not be concerned and continue to use your plugin?

    • This topic was modified 7 years, 3 months ago by Jarrod Whitley. Reason: title grammar
Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author One Dollar Plugin

    (@onedollarplugin)

    7 years, 3 months ago

    Because the templating library, Twig, uses eval. That’s how it works in order to render the Twig templates it parses and executes as necessary.

    eval() isn’t in and of itself a vulnerability. It matters very much how it’s used. eval() is a dangerous function which should be used sparingly and with great care, but it’s not a vulnerability. We don’t use eval() anywhere in our own code as it’s entirely unnecessary.

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    7 years, 3 months ago

    I’ve removed the php, security, vulnerability tags from this topic. That’s excessive and more importantly isn’t correct.

    As written above, that’s not necessarily a security issues. Though that library is a real hack if it needs to do that.

    If you found in that library that eval() was parsing un-sanitized input from a URL or user input then, yeah, that would be bad. You’ve not said anything like that. If you do find that then please report that specific issue.

    Plugin Author One Dollar Plugin

    (@onedollarplugin)

    7 years, 3 months ago

    Thanks for the moderation.

    Twig is quite robust and well-used, with over 68M composer installations. Our implementation doesn’t take or process any user input/customization. It’s simply compiling our own UI templates.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Why does your code use PHP functions deemed dangerous such as eval()?’ is closed to new replies.