makary/phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-06-28 06:08:52 +00:00
Code Issues Projects Releases Packages Wiki Activity

[ticket/security-155] Cast the types of string values in the controller routes

Browse source 
SECURITY-155
This commit is contained in:
Joas Schilling 2014-08-08 17:07:19 +02:00
parent f6da266109
commit 558aff46cd
1 changed files with 17 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
phpBB/phpbb/controller/resolver.php
View file

@ -40,6 +40,12 @@ class resolver implements ControllerResolverInterface
*/ */
protected $template; protected $template;
/**
* Requst type cast helper object
* @var \phpbb\request\type_cast_helper
*/
protected $type_cast_helper;
/** /**
* phpBB root path * phpBB root path
* @var string * @var string
@ -59,6 +65,7 @@ class resolver implements ControllerResolverInterface
$this->user = $user; $this->user = $user;
$this->container = $container; $this->container = $container;
$this->template = $template; $this->template = $template;
$this->type_cast_helper = new \phpbb\request\type_cast_helper();
$this->phpbb_root_path = $phpbb_root_path; $this->phpbb_root_path = $phpbb_root_path;
} }
@ -138,7 +145,16 @@ class resolver implements ControllerResolverInterface
{ {
if (array_key_exists($param->name, $attributes)) if (array_key_exists($param->name, $attributes))
{ {
$arguments[] = $attributes[$param->name]; if (is_string($attributes[$param->name]))
{
$value = $attributes[$param->name];
$this->type_cast_helper->set_var($value, $attributes[$param->name], 'string', true, false);
$arguments[] = $value;
}
else
{
$arguments[] = $attributes[$param->name];
}
} }
else if ($param->getClass() && $param->getClass()->isInstance($request)) else if ($param->getClass() && $param->getClass()->isInstance($request))
{ {