backend: load invoked classes via reflection so object constructor is called after it has been verified as an IHandler implementation.

this should prevent a potential router vulnerability if non-IHandler autoloader-enabled class is requested by malicious authorized user *and* invoked class object does something insecurely in its constructor.
master
Andrew Dolgov 3 years ago
parent e9b4834b6b
commit 63ee91c82e
  1. 5
      backend.php

@ -98,10 +98,13 @@
if ($override) {
$handler = $override;
} else {
$handler = new $op($_REQUEST);
$reflection = new ReflectionClass($op);
$handler = $reflection->newInstanceWithoutConstructor();
}
if ($handler && implements_interface($handler, 'IHandler')) {
$handler->__construct($_REQUEST);
if (validate_csrf($csrf_token) || $handler->csrf_ignore($method)) {
if ($handler->before($method)) {
if ($method && method_exists($handler, $method)) {

Loading…
Cancel
Save