6.0.0-beta1
▾
Tasks
New Task
Search
Photos
Wiki
▾
Tickets
New Ticket
Search
dev.horde.org
Toggle Alerts Log
Help
10/20/25
H
istory
A
ttachments
C
omment
W
atch
Download
Comment on [#13379] Discontinue eval
*
Your Email Address
*
Spam protection
Enter the letters below:
. ..__ . . __ \ / | |[__)| |/ ` >< |/\|[__)|__|\__./ \
Comment
>> Nobody has shown that our code is subject to any security issue. > > I certainly did not claim that. I don't know where you see such a > claim in my bugreport. > >> Use of eval() is perfectly acceptable. I see way too many people who >> say things like "eval() should NEVER be used". Which is flat-out >> wrong. eval() is no more dangerous than anything else - meaning it >> can be abused if used incorrectly. > > Uhm, I am a bit baffled, as I did not expect this kind of argument. > > Of course the use of eval is not necessarily dangerous, in the same > way it is perfectly safe for skilled people to swallow a sword. It is > however pretty easy to make a mistake and face severe consequences. > > That is why i would consider passing a variable x to eval more > dangerous than passing it to lets say split(). Since if through some > other problems one is able to control x, the consequences are much > more severe if x is evald. > > Of course not using eval is not some magic potion, but it is > certainly a step in the right direction in my opinion. > >> I'm not saying that removing eval() is not something we should strive >> for from a *design* perspective. > > That was exactly my proposal. > >> But I'm not sure what your >> alternative is. > > Uhm how about: > document.createElement('script').src = '/myShinyNewScript.js'; > >> There is no difference, security wise, between >> separate script files and eval'd code, as long as the eval'd code is >> properly escaped. > > I see your argument and certainly it looks very similar if you > receive code from the server via a script tag, or via ajax+eval. > > But as I said it is a preventive measure. It makes it less likely > that simple bugs can be escalated to security bugs if you separate > data and code. If your php api is returning a json object, it might > not immediately be clear to the backend coder, that parts of that > object will be evald for example. > > Well it certainly is your call on how to design your software, this > was meant as a friendly hint...
Attachment
Watch this ticket
N
ew Ticket
M
y Tickets
S
earch
Q
uery Builder
R
eports
Saved Queries
Open Bugs
Bugs waiting for Feedback
Open Bugs in Releases
Open Enhancements
Enhancements waiting for Feedback
Bugs with Patches
Enhancements with Patches
Release Showstoppers
Stalled Tickets
New Tickets
Horde 5 Showstoppers