summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authoreinhverfr <einhverfr@4979c152-3d1c-0410-bac9-87ea11338e46>2007-03-04 23:05:24 +0000
committereinhverfr <einhverfr@4979c152-3d1c-0410-bac9-87ea11338e46>2007-03-04 23:05:24 +0000
commit46094fc8b565875cde623d5da9a13f78fdd95965 (patch)
treea2c617d1c0a3b4ee0928b75d5e79d5a5914188c3
parent8890a9bc8987f595c8f65bad1561fd610fc07681 (diff)
Adding operator whitelisting to template conditionals
git-svn-id: https://ledger-smb.svn.sourceforge.net/svnroot/ledger-smb/branches/1.2@845 4979c152-3d1c-0410-bac9-87ea11338e46
-rwxr-xr-xLedgerSMB/Form.pm7
1 files changed, 5 insertions, 2 deletions
diff --git a/LedgerSMB/Form.pm b/LedgerSMB/Form.pm
index 4fa3cb43..af8deae5 100755
--- a/LedgerSMB/Form.pm
+++ b/LedgerSMB/Form.pm
@@ -761,8 +761,11 @@ sub parse_template {
s/.*?<\?lsmb if (.+?) \?>/$1/;
if (/\s/) {
- @a = split;
- $ok = eval "$self->{$a[0]} $a[1] $a[2]";
+ @args = split;
+ if ($args[1] !~ /^(==|eq|>|gt|>|lt|>=|ge|le|<=|ne|!=)$/){
+ $self->error("Unknown/forbidden operator");
+ }
+ $ok = eval "$self->{$args[0]} $args[1] $args[2]";
} else {
$ok = $self->{$_};
}