1. 02 Jul, 2016 1 commit
  2. 27 May, 2016 4 commits
  3. 26 May, 2016 1 commit
  4. 25 May, 2016 1 commit
  5. 14 May, 2016 3 commits
  6. 23 Mar, 2016 1 commit
  7. 07 Mar, 2016 4 commits
  8. 23 Jan, 2016 1 commit
  9. 05 Dec, 2015 1 commit
  10. 01 Dec, 2015 2 commits
  11. 18 Aug, 2015 1 commit
  12. 08 Aug, 2015 1 commit
  13. 30 Jul, 2015 2 commits
  14. 27 Jul, 2015 3 commits
  15. 17 Jul, 2015 1 commit
  16. 06 Jul, 2015 1 commit
  17. 25 Apr, 2015 1 commit
  18. 04 Apr, 2015 1 commit
  19. 23 Mar, 2015 1 commit
  20. 18 Nov, 2014 1 commit
  21. 17 Nov, 2014 1 commit
  22. 11 Nov, 2014 1 commit
  23. 29 Aug, 2014 4 commits
  24. 05 Aug, 2014 1 commit
  25. 01 Aug, 2014 1 commit
    • Philipp Gampe's avatar
      Do not eval unsafe ext_emconf.php · dda29e2d
      Philipp Gampe authored
      The TER frontend upload needs to extract various information
      (description, state, dependecies, title, etc) from the extensions
      em_conf.php file.
      This file is user generated and could contain malicious code.
      
      As collecting all information via the web interface is not feasible,
      we parse the file with PHP-Parser and evalute save parts of the code.
      
      PHP-Parser turns the file into an AST. Then we can traverse it and
      remove any nodes that are not scalars or arrays.
      Additionally we check that we only have one assignment and that we
      only assign to $EM_CONF.
      
      The save AST is then turned back into PHP code and eval'd such that
      we get access to the data.
      
      The TER SOAP API is not affected, because the ext_emconf.php file
      contents are provided as array and not as file.
      
      Change-Id: I41ac8aedc3a233b5d56caa9c11eed4075d380537
      Reviewed-on: http://review.typo3.org/31940
      
      
      Reviewed-by: default avatarChristian Zenker <typo3@xopn.de>
      Tested-by: default avatarChristian Zenker <typo3@xopn.de>
      dda29e2d