From 62e9cbf5b6b99b90a603d8875c5d3be9fe980804 Mon Sep 17 00:00:00 2001
From: Gary A Mort <garyamort@gmail.com>
Date: Fri, 22 Jun 2012 18:04:46 -0400
Subject: [PATCH] Eliminates an eval call when not needed & makes sure
 operators for countModules are within documented spec

---
 libraries/joomla/document/html/html.php | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/libraries/joomla/document/html/html.php b/libraries/joomla/document/html/html.php
index 8c69613407..830875d7ba 100644
--- a/libraries/joomla/document/html/html.php
+++ b/libraries/joomla/document/html/html.php
@@ -484,6 +484,23 @@ public function countModules($condition)
 	{
 		$operators = '(\+|\-|\*|\/|==|\!=|\<\>|\<|\>|\<=|\>=|and|or|xor)';
 		$words = preg_split('# ' . $operators . ' #', $condition, null, PREG_SPLIT_DELIM_CAPTURE);
+
+		// $words must be odd, an even number of words is a mistake so skip processing
+		if (!(count($words) & 1)) {
+			return false;
+		}
+
+		// don't allow undocumented/malicious operators
+		for ($i = 1, $n = count($words); $i < $n; $i += 2)
+		{
+			// even parts (operators)
+			$operator = strtolower($words[$i]);
+			if (!preg_match($operators, $words) )
+			{
+				return false;
+			}
+		}
+
 		for ($i = 0, $n = count($words); $i < $n; $i += 2)
 		{
 			// Odd parts (modules)
@@ -493,6 +510,12 @@ public function countModules($condition)
 				: count(JModuleHelper::getModules($name));
 		}
 
+
+		// one word doesn't need an eval call
+		if (count($words) == 1) {
+			return $words[0];
+		}
+
 		$str = 'return ' . implode(' ', $words) . ';';
 
 		return eval($str);