backend: load invoked classes via reflection so object constructor is called after it has been verified as an IHandler implementation.
this should prevent a potential router vulnerability if non-IHandler autoloader-enabled class is requested by malicious authorized user *and* invoked class object does something insecurely in its constructor.
This commit is contained in:
parent
e9b4834b6b
commit
63ee91c82e
|
@ -98,10 +98,13 @@
|
|||
if ($override) {
|
||||
$handler = $override;
|
||||
} else {
|
||||
$handler = new $op($_REQUEST);
|
||||
$reflection = new ReflectionClass($op);
|
||||
$handler = $reflection->newInstanceWithoutConstructor();
|
||||
}
|
||||
|
||||
if ($handler && implements_interface($handler, 'IHandler')) {
|
||||
$handler->__construct($_REQUEST);
|
||||
|
||||
if (validate_csrf($csrf_token) || $handler->csrf_ignore($method)) {
|
||||
if ($handler->before($method)) {
|
||||
if ($method && method_exists($handler, $method)) {
|
||||
|
|
Loading…
Reference in New Issue