diff options
| author | Andrew Dolgov <[email protected]> | 2019-12-20 14:39:38 +0300 |
|---|---|---|
| committer | Andrew Dolgov <[email protected]> | 2019-12-20 14:39:38 +0300 |
| commit | 63ee91c82e3fa17f5ade147aff8d319104b9e52e (patch) | |
| tree | c47315de3272c01e970b9429afc6528efd883f64 /backend.php | |
| parent | e9b4834b6ba788f43b8ce0bca13a9526df11d472 (diff) | |
backend: load invoked classes via reflection so object constructor is called after it has been verified as an IHandler implementation.
this should prevent a potential router vulnerability if non-IHandler autoloader-enabled class is requested by malicious authorized user *and* invoked class object does something insecurely in its constructor.
Diffstat (limited to 'backend.php')
| -rw-r--r-- | backend.php | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/backend.php b/backend.php index cb158f705..e65ce1b94 100644 --- a/backend.php +++ b/backend.php @@ -98,10 +98,13 @@ if ($override) { $handler = $override; } else { - $handler = new $op($_REQUEST); + $reflection = new ReflectionClass($op); + $handler = $reflection->newInstanceWithoutConstructor(); } if ($handler && implements_interface($handler, 'IHandler')) { + $handler->__construct($_REQUEST); + if (validate_csrf($csrf_token) || $handler->csrf_ignore($method)) { if ($handler->before($method)) { if ($method && method_exists($handler, $method)) { |