is this actually used anywhere? -Hannes
On Tue, Jan 20, 2015 at 1:10 PM, Peter Cowburn <[email protected]> wrote: > Commit: 686c4181e35c1b248dd95d502524cdc11a86c6d4 > Author: Anthony Ferrara <[email protected]> Tue, 20 Jan 2015 > 16:10:19 -0500 > Parents: a4d873b05f0ea8ec26327bcccc645f051e15ca18 > Branches: master > > Link: > http://git.php.net/?p=web/php.git;a=commitdiff;h=686c4181e35c1b248dd95d502524cdc11a86c6d4 > > Log: > Fix potential file-include vulnerability > > Fix potential file-include vulnerability by adding `EXTR_SKIP` to extract so > it doesn't overwrite `$params` array. > > Changed paths: > M include/layout.inc > > > Diff: > diff --git a/include/layout.inc b/include/layout.inc > index 4b7d29e..9fc583b 100644 > --- a/include/layout.inc > +++ b/include/layout.inc > @@ -396,7 +396,7 @@ function print_view($templateName, array $params = > array()) { > $path = $_SERVER['DOCUMENT_ROOT'] . '/views/' . $templateName; > if(file_exists($path)) { > if(!empty($params)) { > - extract($params); > + extract($params, EXTR_SKIP); > } > include_once $path; > } > > > -- > PHP Webmaster List Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP Webmaster List Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
