backend: load invoked classes via reflection so object constructor is called after it has been verified as an IHandler implementation.

this should prevent a potential router vulnerability if non-IHandler autoloader-enabled class is requested by malicious authorized user *and* invoked class object does something insecurely in its constructor.
This commit is contained in:
Andrew Dolgov 2019-12-20 14:39:38 +03:00
parent e9b4834b6b
commit 63ee91c82e
1 changed files with 4 additions and 1 deletions

View File

@ -98,10 +98,13 @@
if ($override) { if ($override) {
$handler = $override; $handler = $override;
} else { } else {
$handler = new $op($_REQUEST); $reflection = new ReflectionClass($op);
$handler = $reflection->newInstanceWithoutConstructor();
} }
if ($handler && implements_interface($handler, 'IHandler')) { if ($handler && implements_interface($handler, 'IHandler')) {
$handler->__construct($_REQUEST);
if (validate_csrf($csrf_token) || $handler->csrf_ignore($method)) { if (validate_csrf($csrf_token) || $handler->csrf_ignore($method)) {
if ($handler->before($method)) { if ($handler->before($method)) {
if ($method && method_exists($handler, $method)) { if ($method && method_exists($handler, $method)) {