I'm currently going through the source code of vB 2.3.0, and I'm confused by all the eval'ed statements I'm finding (especially in functions.php). Example:

eval("\$customfields .= \"".gettemplate("getinfo_customfields")."\";");

This seems not only unneccesary, but dangerous. There's too much trust being placed upon the gettemplate function and the table data it pulls it's results from. Is there any benefit to doing this which perhaps I've missed?

It allows you to use variables in templates.

nothing is dangerous, because the templates are just saved in strings and not parsed directly (except phpinclude)

how eval works can be seen in php.net function list

Filburt, excuse my continued confusion, but how is:

eval("\$customfields .= \"".gettemplate("getinfo_customfields")."\";");
different than:
$customfields .= gettemplate("getinfo_customfields");

Xenon, I should have explained a bit more. Same example:

eval("\$customfields .= \"".gettemplate("getinfo_customfields")."\";");

If gettemplate returns -- "; system("blah"); // -- you have a statement which evaluates to something like:

eval('$customfields .= ""; system("blah"); // ";');

When that's eval'ed, the command `blah` is run. This is of course a potential vulnerability, and depends upon another vulnerability in vB which either lets one taint $templatecache or modify a template row (which may be a vulnerability in another webapp that uses the same database). Being able to run system commands is more dangerous than a typical sql injection vulnerability.

I see the risk here, but not the benefit.

http://www.php.net/eval

Read the two things that it does. It doesn't just execute code.

@loOL:
look at the code more exactly.

if gettemplate returns -- "; system("blah");

it will end up in this:

$bla = " ---\"; system(\"blah\"); ";

there's addslashed in gettemplate, just if you don't want em in you can call gettemplate in another way..

Today at 07:47 PM Xenon said this in Post #6 (https://vborg.vbsupport.ru/showthread.php?postid=380841#post380841)
there's addslashed in gettemplate, just if you don't want em in you can call gettemplate in another way..

After actually installing vBulletin and examining the database rows it was pulling template data from, everything became clear. As a Smarty user, I must say I still find the eval() template system odd. I'm likely going to be hacking the codebase to use Smarty and Pear DB before deploying it on my site.

Thanks for the help.

Today at 08:48 PM loOll said this in Post #7 (https://vborg.vbsupport.ru/showthread.php?postid=380855#post380855)
After actually installing vBulletin and examining the database rows it was pulling template data from, everything became clear. As a Smarty user, I must say I still find the eval() template system odd. I'm likely going to be hacking the codebase to use Smarty and Pear DB before deploying it on my site.

Thanks for the help.


You may be rewriting half of vBulletin then because there are at least two "special" templates that I can think of that do not work like normal templates.

phpinclude, options, birthdays, and maxloggedin.

I think those are the 4 templates that aren't normal templates. ;)

just phpinclude and options count, because these are really evaled ;)

the other two, are also somehow special, but in another way ;)