From 46094fc8b565875cde623d5da9a13f78fdd95965 Mon Sep 17 00:00:00 2001
From: einhverfr <einhverfr@4979c152-3d1c-0410-bac9-87ea11338e46>
Date: Sun, 4 Mar 2007 23:05:24 +0000
Subject: Adding operator whitelisting to template conditionals

git-svn-id: https://ledger-smb.svn.sourceforge.net/svnroot/ledger-smb/branches/1.2@845 4979c152-3d1c-0410-bac9-87ea11338e46
---
 LedgerSMB/Form.pm | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/LedgerSMB/Form.pm b/LedgerSMB/Form.pm
index 4fa3cb43..af8deae5 100755
--- a/LedgerSMB/Form.pm
+++ b/LedgerSMB/Form.pm
@@ -761,8 +761,11 @@ sub parse_template {
 			s/.*?<\?lsmb if (.+?) \?>/$1/;
 
 			if (/\s/) {
-				@a = split;
-				$ok = eval "$self->{$a[0]} $a[1] $a[2]";
+				@args = split;
+				if ($args[1] !~ /^(==|eq|>|gt|>|lt|>=|ge|le|<=|ne|!=)$/){
+					$self->error("Unknown/forbidden operator");
+				}
+				$ok = eval "$self->{$args[0]} $args[1] $args[2]";
 			} else {
 				$ok = $self->{$_};
 			}
-- 
cgit v1.2.3