[Tickets #13379] Re: Discontinue eval

noreply at bugs.horde.org noreply at bugs.horde.org
Tue Jul 22 14:34:29 UTC 2014 

DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.

Ticket URL: http://bugs.horde.org/ticket/13379
------------------------------------------------------------------------------
  Ticket             | 13379
  Updated By         | o+horde at immerda.ch
  Summary            | Discontinue eval
  Queue              | IMP
  Version            | 6.2.0
  Type               | Enhancement
  State              | Feedback
  Priority           | 1. Low
  Milestone          |
  Patch              |
  Owners             |
------------------------------------------------------------------------------


o+horde at immerda.ch (2014-07-22 14:34) wrote:

> Nobody has shown that our code is subject to any security issue.

I certainly did not claim that. I don't know where you see such a  
claim in my bugreport.

> Use of eval() is perfectly acceptable.  I see way too many people  
> who say things like "eval() should NEVER be used".  Which is  
> flat-out wrong.  eval() is no more dangerous than anything else -  
> meaning it can be abused if used incorrectly.

Uhm, I am a bit baffled, as I did not expect this kind of argument.

Of course the use of eval is not necessarily dangerous, in the same  
way it is perfectly safe for skilled people to swallow a sword. It is  
however pretty easy to make a mistake and face severe consequences.

That is why i would consider passing a variable x to eval more  
dangerous than passing it to lets say split(). Since if through some  
other problems one is able to control x, the consequences are much  
more severe if x is evald.

Of course not using eval is not some magic potion, but it is certainly  
a step in the right direction in my opinion.

> I'm not saying that removing eval() is not something we should  
> strive for from a *design* perspective.

That was exactly my proposal.

> But I'm not sure what your alternative is.

Uhm how about:
document.createElement('script').src = '/myShinyNewScript.js';

> There is no difference, security wise, between separate script files  
> and eval'd code, as long as the eval'd code is properly escaped.

I see your argument and certainly it looks very similar if you receive  
code from the server via a script tag, or via ajax+eval.

But as I said it is a preventive measure. It makes it less likely that  
simple bugs can be escalated to security bugs if you separate data and  
code. If your php api is returning a json object, it might not  
immediately be clear to the backend coder, that parts of that object  
will be evald for example.

Well it certainly is your call on how to design your software, this  
was meant as a friendly hint...

More information about the bugs mailing list