public/tt-rss
1
0
Fork 0
mirror of https://git.tt-rss.org/git/tt-rss.git synced 2025-12-15 10:05:58 +00:00
Code Issues Releases Wiki Activity

backend: load invoked classes via reflection so object constructor is called after it has been verified as an IHandler implementation.

Browse Source 
this should prevent a potential router vulnerability if non-IHandler autoloader-enabled class is requested by malicious authorized user *and* invoked class object does something insecurely in its constructor.
This commit is contained in:
Andrew Dolgov
2019-12-20 14:39:38 +03:00
parent e9b4834b6b
commit 63ee91c82e
1 changed files with 4 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
backend.php
View File

@@ -98,10 +98,13 @@
if ($override) { if ($override) {
$handler = $override; $handler = $override;
} else { } else {
$handler = new $op($_REQUEST); $reflection = new ReflectionClass($op);
$handler = $reflection->newInstanceWithoutConstructor();
} }
if ($handler && implements_interface($handler, 'IHandler')) { if ($handler && implements_interface($handler, 'IHandler')) {
$handler->__construct($_REQUEST);
if (validate_csrf($csrf_token) || $handler->csrf_ignore($method)) { if (validate_csrf($csrf_token) || $handler->csrf_ignore($method)) {
if ($handler->before($method)) { if ($handler->before($method)) {
if ($method && method_exists($handler, $method)) { if ($method && method_exists($handler, $method)) {