Open CashWilliams opened 8 years ago
Using call_user_func() and call_user_func_array() causes lose of taint value.
call_user_func()
call_user_func_array()
Example code:
<?php $input = $_GET['in']; $function = 'render'; // Send tainted variable to $function $output = call_user_func($function, $input); function render($input) { // $input is tainted if (is_tainted($input)) { print "Input is tainted<br>"; } return $input; } // $output is tainted if (is_tainted($output)) { print "Output is tainted<br>"; }
Output:
Input is tainted
I've cleaned up the code a bit and tried to PR a test which fails locally https://github.com/laruence/taint/pull/31
Using
call_user_func()
andcall_user_func_array()
causes lose of taint value.Example code:
Output: