ZF2-96: Locator Dispatch Security

Issue Type:
Improvement
Created:
2011-11-01T22:47:11.000+0000
Last Updated:
2012-08-20T13:58:44.000+0000
Status:
Resolved
Fix version(s):
    Reporter:
    Tim Glabisch (timglabisch)
    Assignee:
    Matthew Weier O'Phinney (matthew)
    Tags:
    • Zend\Mvc
    • Dispatch
    • Locator
    • Security
    Related issues:
    Attachments:

    Description

    i dont like this row:

    https://github.com/zendframework/zf2/…

    try { controller = $locator->get($controllerName); } catch (ClassNotFoundException $exception) {

    i use a selfwritten DiC, if the ->get function is called, my DiC build a graph and create all (nested) instances - so all constructors are called. i dont want the frontend-user to be able to call the constructors of the classes managed in the DiC.

    may an alternative would be a function like $locator->getClassname() and using reflection to figure out if the class implements Dispatchable

    Comments

    Posted by Maks 3w (maks3w) on 2012-07-26T20:04:24.000+0000

    [~padraic] ping

    Posted by Matthew Weier O'Phinney (matthew) on 2012-07-26T20:43:01.000+0000

    This should be resolved as of RC1.

    Posted by Maks 3w (maks3w) on 2012-08-18T08:57:20.000+0000

    If IIRC this was already fixed.

    [~timglabisch] Can you verify again?

    Posted by Matthew Weier O'Phinney (matthew) on 2012-08-20T13:58:44.000+0000

    This was fixed prior to RC1, and a fix for DI was included in RC2. The solution was to require a whitelist of controllers that the controller loader (and DI container) can instantiate; any that fall outside that will be ignored, resulting in a 404.