From dcb16035d73038c1e8f41464ce5bad33176a1ab5 Mon Sep 17 00:00:00 2001
From: Hayder Sharhan <hsharhan@ebay.com>
Date: Thu, 25 Feb 2016 11:00:21 -0600
Subject: [PATCH] MAGETWO-48819: [GitHub #3233] Arbitrary PHP code execution in
 M2.0.2

- Removed eval statement from phrase parser.
---
 setup/src/Magento/Setup/Module/I18n/Dictionary/Phrase.php | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/setup/src/Magento/Setup/Module/I18n/Dictionary/Phrase.php b/setup/src/Magento/Setup/Module/I18n/Dictionary/Phrase.php
index 388ece942db..1c7347f2892 100644
--- a/setup/src/Magento/Setup/Module/I18n/Dictionary/Phrase.php
+++ b/setup/src/Magento/Setup/Module/I18n/Dictionary/Phrase.php
@@ -275,8 +275,6 @@ class Phrase
             $string = preg_replace('/([^\\\\])' . $encloseQuote . ' ?\. ?' . $encloseQuote . '/', '$1', $string);
             $string = addslashes($string);
         }
-        $evalString = 'return ' . $encloseQuote . $string . $encloseQuote . ';';
-        $result = @eval($evalString);
-        return is_string($result) ? $result :  $string;
+        return $string;
     }
 }
-- 
GitLab