New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
drop eval function #213
Comments
Any replacement suggested? ;) |
Using proper functions and stuff would be good, I'll quote Rasmus (found of php, make of it what you will); It also opens up for many possibilties for remote code execution for no good reason. I can't think of a single time I have had to use eval() in literally millions of lines of code. In short, it's unsafe and lazy at best. |
In that case, this is legit i think. We have no user input there, just config.lua parsing. But, well. I am open to suggestions how that could be replaced :) |
Currently looking iinto this, but seems eval() is only used to validate a expression exists and contains two values. This could be done with a if/switch statement instead. Could you elaborate on wheter or not I am missunderstanding this? Will have a look into "fixing" this later when I have more time to test it's functionallity and then create a PR. And you are correct about how it's used and currently it should not present any issues, thing is while this code looks safe we cannot safely assume there are no, or will be, any vulneratbilities that can abuse this somehow. Eval is a dangeorous function to use in a live production env. I can absoluty see it used for prototypign or similar, but for a live website it's.. Sketchy! |
Description:
drop
eval
functions for better support on running in web hostingThe text was updated successfully, but these errors were encountered: