From dae95a0baf3963a9ef87c17cee52f78f77e21829 Mon Sep 17 00:00:00 2001
From: ikkez <ikkez0n3@gmail.com>
Date: Sat, 4 Jan 2020 15:43:41 +0100
Subject: [PATCH] ensure misuse of clear() wont open a vulnerability

---
 base.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/base.php b/base.php
index e8234d6b..441ade56 100644
--- a/base.php
+++ b/base.php
@@ -503,6 +503,8 @@ function clear($key) {
 			// Reset global to default value
 			$this->hive[$parts[0]]=$this->init[$parts[0]];
 		else {
+			// Ensure we have no code injection
+			$key=preg_replace('/(\)\W*\w+.*$)/','',$key);
 			eval('unset('.$this->compile('@this->hive.'.$key).');');
 			if ($parts[0]=='SESSION') {
 				session_commit();
@@ -2963,13 +2965,11 @@ function c($val) {
 	*	@param $str string
 	**/
 	function token($str) {
-		$fw=$this->fw;
-		$str=trim(preg_replace('/\{\{(.+?)\}\}/s',trim('\1'),
-			$fw->compile($str)));
+		$str=trim(preg_replace('/\{\{(.+?)\}\}/s','\1',$this->fw->compile($str)));
 		if (preg_match('/^(.+)(?<!\|)\|((?:\h*\w+(?:\h*[,;]?))+)$/s',
 			$str,$parts)) {
 			$str=trim($parts[1]);
-			foreach ($fw->split(trim($parts[2],"\xC2\xA0")) as $func)
+			foreach ($this->fw->split(trim($parts[2],"\xC2\xA0")) as $func)
 				$str=((empty($this->filter[$cmd=$func]) &&
 					function_exists($cmd)) ||
 					is_string($cmd=$this->filter($func)))?