mirror of
https://git.tt-rss.org/git/tt-rss.git
synced 2025-12-12 22:35:55 +00:00
backend: load invoked classes via reflection so object constructor is called after it has been verified as an IHandler implementation.
this should prevent a potential router vulnerability if non-IHandler autoloader-enabled class is requested by malicious authorized user *and* invoked class object does something insecurely in its constructor.
This commit is contained in:
Andrew Dolgov
@@ -98,10 +98,13 @@
|
||||
if ($override) {
|
||||
$handler = $override;
|
||||
} else {
|
||||
$handler = new $op($_REQUEST);
|
||||
$reflection = new ReflectionClass($op);
|
||||
$handler = $reflection->newInstanceWithoutConstructor();
|
||||
}
|
||||
|
||||
if ($handler && implements_interface($handler, 'IHandler')) {
|
||||
$handler->__construct($_REQUEST);
|
||||
|
||||
if (validate_csrf($csrf_token) || $handler->csrf_ignore($method)) {
|
||||
if ($handler->before($method)) {
|
||||
if ($method && method_exists($handler, $method)) {
|
||||
|
||||
Reference in New Issue
Block a user