Skip to content

Count modules security patch #1307

Closed
wants to merge 4 commits into from
View
23 libraries/joomla/document/html/html.php
@@ -484,6 +484,23 @@ public function countModules($condition)
{
$operators = '(\+|\-|\*|\/|==|\!=|\<\>|\<|\>|\<=|\>=|and|or|xor)';
$words = preg_split('# ' . $operators . ' #', $condition, null, PREG_SPLIT_DELIM_CAPTURE);
+
+ // $words must be odd, an even number of words is a mistake so skip processing
+ if (!(count($words) & 1)) {
+ return false;
@realityking
Joomla! member
realityking added a note Jun 22, 2012

I'd throw an InvalidArgumentException here.

@garyamort
garyamort added a note Jun 23, 2012

From deploying Joomla! CMS, I'd rather not have an exception thrown which breaks the website due to some invalid template...especially if it was in an admin template which then made it impossible to fix without directly updating database.

@realityking
Joomla! member
realityking added a note Jun 23, 2012

I agree that we can't do it in 2.5. But throwing an exception will make it much easier for devs to even notice their error so I think that is preferable for 3.0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
+ }
+
+ // don't allow undocumented/malicious operators
+ for ($i = 1, $n = count($words); $i < $n; $i += 2)
+ {
+ // even parts (operators)
+ $operator = strtolower($words[$i]);
+ if (!preg_match($operators, $words) )
+ {
+ return false;
+ }
+ }
+
for ($i = 0, $n = count($words); $i < $n; $i += 2)
{
// Odd parts (modules)
@@ -493,6 +510,12 @@ public function countModules($condition)
: count(JModuleHelper::getModules($name));
}
+
+ // one word doesn't need an eval call
+ if (count($words) == 1) {
+ return $words[0];
+ }
+
$str = 'return ' . implode(' ', $words) . ';';
return eval($str);
Something went wrong with that request. Please try again.