backend: load invoked classes via reflection so object constructor is called after it has been verified as an IHandler implementation. - forks/tt-rss

diff options

author	Andrew Dolgov <noreply@fakecake.org>	2019-12-20 14:39:38 +0300
committer	Andrew Dolgov <noreply@fakecake.org>	2019-12-20 14:39:38 +0300
commit	63ee91c82e3fa17f5ade147aff8d319104b9e52e (patch)
tree	c47315de3272c01e970b9429afc6528efd883f64 /errors.php
parent	e9b4834b6ba788f43b8ce0bca13a9526df11d472 (diff)

backend: load invoked classes via reflection so object constructor is called after it has been verified as an IHandler implementation.

this should prevent a potential router vulnerability if non-IHandler autoloader-enabled class is requested by malicious authorized user *and* invoked class object does something insecurely in its constructor.

Diffstat (limited to 'errors.php')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: