Royal casino game free play,Big bass splash jackpot summer series results.REGISTER NOW GET FREE 888 PESOS REWARDS!

Resolved ivantrendafilov
(@ivantrendafilov)

3 years ago
Is it possible to disable the plugin’s formula Evaluation class: libraries/evalmath.class.php? This class makes use of the PHP eval() function which we really want to disable, as it is a security concern.

It would be very helpful to have a setting that can disable this feature (prevent including that class at all; we do not use that feature), in order to be able to disable eval() on our servers.
- This topic was modified 3 years ago by ivantrendafilov.

Viewing 6 replies - 1 through 6 (of 6 total)

Plugin Author Tobias B?thge
(@tobiasbg)

3 years ago

Hi,

thanks for your post, and sorry for the trouble.

TablePress does indeed use a formula evaluation library that uses the PHP eval() function, but only after extensive sanitization and formula parsing.

Unfortunately, there’s no direct way to turn off the formula evaluation. If you really must, you could use a filter hook to override the loading of the PHP class. TablePress a custom class loader, see https://github.com/TobiasBg/TablePress/blob/master/classes/class-render.php#L147-L148 , which you could intercept via the filter hooks https://github.com/TobiasBg/TablePress/blob/master/classes/class-tablepress.php#L204 and https://github.com/TobiasBg/TablePress/blob/master/classes/class-tablepress.php#L178
You would have to replace that with a mock class that has a method https://github.com/TobiasBg/TablePress/blob/master/classes/class-evaluate.php#L70 and that returns the unmodified input data.

By the way, I’ll soon be replacing the formula evaluation library that TablePress uses with a new one in TablePress 2.0. The new one has more features and does not rely on eval(). It would then be necessary to revert your customizations from above again, so that you can then again use formulas.
That said, I’m not sure that you really have to take action here right now. Just deactivate eval() on the server, and in the event that you do get warnings or errors, educate users to not use formulas (if that’s an option).

Regards,
Tobias

Thread Starter ivantrendafilov
(@ivantrendafilov)

3 years ago

Hey Tobias,

Thank you for your response, this is super helpful. You mention that TablePress 2.0 will not depend on the class with eval(), do you have any rough estimate when that version will be available? Basically, so I know if it will be worth going through the process of overriding the class. My need to remove eval is not urgent.

Regards,
Ivan

Plugin Author Tobias B?thge
(@tobiasbg)

3 years ago

Hi Ivan,

good to hear that this is helpful!
My current plans for TablePress 2.0 aim at the late second quarter – but no guarantees ??

Regards,
Tobias

Plugin Author Tobias B?thge
(@tobiasbg)

2 years, 8 months ago

Hi,

and here it is, the first beta of TablePress 2.0 is ready for testing, if you are still looking for formula evaluation without eval(): https://tablepress.org/8-million-downloads-tablepress-2-0/

Best wishes,
Tobias

Thread Starter ivantrendafilov
(@ivantrendafilov)

2 years, 8 months ago

Thanks, amazing improvement and congrats on the 2.0!

Plugin Author Tobias B?thge
(@tobiasbg)

2 years, 8 months ago

Hi,

good to hear that you like it! I hope it will be helpful!

Best wishes,
Tobias
?
P.S.: In case you haven’t, please rate TablePress here in the plugin directory. Thanks!

Viewing 6 replies - 1 through 6 (of 6 total)

The topic ‘Disable Formula Evaluation due to eval() use’ is closed to new replies.