http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=8015
Galen Charlton <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #131 from Galen Charlton <[email protected]> --- (In reply to Paul Poulain from comment #129) > I hadn't checked what the eval was related to, I assumed it was safe. > I agree with your point : failed QA, this could probably be exploited. > > Jared, would you be pleased if the parameters where sanitized, even if the > eval is still here ? I think it would be better to drop the notion of using a string eval at all and just rewrite ModifyRecordWithTemplate to become a dispatcher that calls the modification subroutines directly. I say "just rewrite" because, for once, I think the work can be confined to a single routine. Also, the patchset currently includes no tests that run ModifyRecordWithTemplate directly -- rather a lack, IMO. Resolving that can go hand-in-hand with removing the eval. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
