From 63ee91c82e3fa17f5ade147aff8d319104b9e52e Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <noreply@fakecake.org>
Date: Fri, 20 Dec 2019 14:39:38 +0300
Subject: [PATCH] backend: load invoked classes via reflection so object
 constructor is called after it has been verified as an IHandler
 implementation.

this should prevent a potential router vulnerability if non-IHandler autoloader-enabled class is requested by malicious authorized user *and* invoked class object does something insecurely in its constructor.
---
 backend.php | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/backend.php b/backend.php
index cb158f705..e65ce1b94 100644
--- a/backend.php
+++ b/backend.php
@@ -98,10 +98,13 @@
 		if ($override) {
 			$handler = $override;
 		} else {
-			$handler = new $op($_REQUEST);
+			$reflection = new ReflectionClass($op);
+			$handler = $reflection->newInstanceWithoutConstructor();
 		}
 
 		if ($handler && implements_interface($handler, 'IHandler')) {
+			$handler->__construct($_REQUEST);
+
 			if (validate_csrf($csrf_token) || $handler->csrf_ignore($method)) {
 				if ($handler->before($method)) {
 					if ($method && method_exists($handler, $method)) {