07-18-2017, 11:24 AM
The verdict:
This may allow to execute arbitrary code, or at least modify what code can be executed.
(Snippet from system/core/Loader.php)
any opinion? OR someone can prove they can do some harm by these line?
This may allow to execute arbitrary code, or at least modify what code can be executed.
(Snippet from system/core/Loader.php)
Code:
// If the PHP installation does not support short tags we'll
// do a little string replacement, changing the short tags
// to standard PHP echo statements.
if ( ! is_php('5.4') && ! ini_get('short_open_tag') && config_item('rewrite_short_tags') === TRUE)
{
echo eval('?>'.preg_replace('/;*\s*\?>/', '; ?>', str_replace('<?=', '<?php echo ', file_get_contents($_ci_path))));
}
any opinion? OR someone can prove they can do some harm by these line?