Browse Source

backend: load invoked classes via reflection so object constructor is called after it has been verified as an IHandler implementation.

this should prevent a potential router vulnerability if non-IHandler autoloader-enabled class is requested by malicious authorized user *and* invoked class object does something insecurely in its constructor.
Andrew Dolgov 6 months ago
parent
commit
63ee91c82e
1 changed files with 4 additions and 1 deletions
  1. 4 1
      backend.php

+ 4 - 1
backend.php

@@ -98,10 +98,13 @@
 		if ($override) {
 			$handler = $override;
 		} else {
-			$handler = new $op($_REQUEST);
+			$reflection = new ReflectionClass($op);
+			$handler = $reflection->newInstanceWithoutConstructor();
 		}
 
 		if ($handler && implements_interface($handler, 'IHandler')) {
+			$handler->__construct($_REQUEST);
+
 			if (validate_csrf($csrf_token) || $handler->csrf_ignore($method)) {
 				if ($handler->before($method)) {
 					if ($method && method_exists($handler, $method)) {