Malware alert

[leespitia]

After a new installation in my hosting, I'm getting this alert:

/e107/e107_handlers/menumanager_class.php generic.eval.file.get.contents.1

I guess that the alert it's been generated because of the use of the function eval(), is there any update planed to solve this issue.

[Deltik]

There are currently no plans to address the malware alert, which is a false positive.

The file_get_contents()/eval() combination was introduced in 6531a68 as a workaround for loading the unstructured code of legacy themes' theme.php.

file_get_contents() followed by eval() is indeed a common malware pattern, but in the case of ./e107_handlers/menumanager_class.php, it's mostly a suboptimal way to cope with parsing legacy themes.

There isn't an easy way to import legacy theme.php files in a way compatible with the Menu Manager. One possibility could be to write a compiler using PHP Parser that preprocesses old theme.php files to isolate $LAYOUT, $HEADER, and/or $FOOTER into a data structure that can be sent to the newer e_theme::loadLayout(). This is slow, bulky, and requires a lot of effort.

[Jimmi08]

Hi,
I suggest removing the support of legacy themes from version 2.4. Updating some needed old themes is better than using outdated code causing trouble.

Those themes will not work in PHP 8 either (mostly, because of constants). It would help to focus on real problems with a new theme way.