01206: Provide a way to use FmtPagename() safely on user-supplied data
Description: According to this thread it is unwise to use FmtPagename() on user-supplied data. (See here for the specific quote from PM.) This is primarily (I believe?) because it exposes global variables which could cause a security risk.
However, FmtPagename() is an immensely helpful function for recipe writers and very often this involves wanting to process page source -- i.e., user supplied data. If an additional, optional parameter were added to FmtPagename() which got rid of the processing of globals it would be a big help in writing secure recipes. This would require adding 2 lines of code and changing the function definition slightly...
- function FmtPageName($fmt, $pagename) {
+ function FmtPageName($fmt, $pagename, $do_globals=true) {
After that it's just a simple case of if'ing out the section at the end of the function that deals with globals...
if (strpos($fmt,'$')===false) return $fmt;
+ if ($do_globals) {
static $g;
if ($GCount != count($GLOBALS)+count($FmtV)) {
$g = array();
foreach($GLOBALS as $n=>$v) {
if (is_array($v) || is_object($v) ||
isset($FmtV["\$$n"]) || in_array($n,$UnsafeGlobals)) continue;
$g["\$$n"] = $v;
}
$GCount = count($GLOBALS)+count($FmtV);
krsort($g); reset($g);
}
$fmt = str_replace(array_keys($g),array_values($g),$fmt);
+ }
$fmt = preg_replace('/(?>(\\$[[:alpha:]]\\w+))/e',
"isset(\$FmtV['$1']) ? \$FmtV['$1'] : '$1'", $fmt);
return $fmt;