Prevent arbitrary code execution

[ghaspias]

Parse the potential string with regexp instead of using eval. This addresses #75

[fangq]

@ghaspias, thanks for reporting this - I absolutely agree with you that this behavior is undesired and dangerous.

However, this patch is not the same as the eval call that replaces. If I apply your patch, the unit testing script is broken.

One can disable this block entirely by appending 'FastArrayParser', 0 to the loadjson call, but the speed is abyssal compared to the eval version.

what do you think about my workaround committed here:

f7d8226

it detects ( and avoids function calls, although I am not sure if you can construct other exploitation forms of this eval.

[ghaspias]

@fangq I always prefer whitelisting, i.e., only executing what I know is valid. I was looking at str2num, but it has the same issue, it just calls eval. We should have a safe_eval, but in the meanwhile I guess your approach is ok. However, can't we have a quoted '(' inside arraystr?

[fangq]

you are right, () inside double-quotes will also be avoided, for example

loadjson('["a","system()"]')

in this case, the eval should have worked without the risk you mentioned above, but due to my patch, it will be routed to the slower item-by-item array parser.

I suppose this is a performance downgrade (if very large string arrays containing "...(..." are being parsed), but at least it does not have the security risk.