Active
Project:
Content Taxonomy
Version:
6.x-2.x-dev
Component:
Code
Priority:
Normal
Category:
Bug report
Assigned:
Unassigned
Issue tags:
Reporter:
Created:
5 Mar 2012 at 23:37 UTC
Updated:
5 Mar 2012 at 23:37 UTC
This was a report in the security team but can be public because of http://drupal.org/security-advisory-policy
David Hunt wrote:
Are straight eval() calls of user input - i.e. instead of drupal_eval() - a security risk worth informing you about?function content_taxonomy_field_get_parent($field) {
if (!empty($field['parent_php_code'])) {
return eval($field['parent_php_code']);
}
return $field['parent'];
}
Followup discussion by neclimdul mentioned http://drupal.org/node/715010 as a best-practice worth reviewing and applying to the module.