Security question

  • Resolved Erick

    (@relozo)


    3 days, 6 hours ago

    Hi Tobias,

    Hope you’re well.

    I want to ask regarding one of your library. /tablepress/libraries/evalmath.class.php

    It was flagged internally that Using eval on expressions based on user input can execute arbitrary code. and avoid if possible.

    Would you be able to advise if this is safe on your side?

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Tobias Bäthge

    (@tobiasbg)

    3 days ago

    Hi @relozo,

    Thanks for your question, I will be happy to help!

    In this case, this report is a false positive: The evalmath.class.php file does indeed use the PHP eval function, which can be used to execute PHP code.
    It will however only execute safely constructed commands (for evaluating mathematical expressions), so that there is no risk here and this is safe to use.

    (In addition, this library is actually only used on “legacy” systems, with older versions of PHP on the site that don’t have the “mbstring” PHP extension installed. On modern systems, a different library will be used that does not depend on using eval.)

    Best wishes,
    Tobias

    Thread Starter Erick

    (@relozo)

    3 days ago

    Hi Tobias,

    Thank you for responding and explanation 🙂

    I’ll let you know if there’s any further questions, but I’ll mark it as resolved.

    Have a great week ahead.

    Plugin Author Tobias Bäthge

    (@tobiasbg)

    2 days, 23 hours ago

    Hi,

    no problem, you are very welcome! 🙂 Good to hear that this helped!

    Best wishes,
    Tobias

    P.S.: In case you haven’t, please rate TablePress in the plugin directory. Thanks!

Viewing 3 replies - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.