ZF2-96: Locator Dispatch Security


i dont like this row:…

try { controller = $locator->get($controllerName); } catch (ClassNotFoundException $exception) {

i use a selfwritten DiC, if the ->get function is called, my DiC build a graph and create all (nested) instances - so all constructors are called. i dont want the frontend-user to be able to call the constructors of the classes managed in the DiC.

may an alternative would be a function like $locator->getClassname() and using reflection to figure out if the class implements Dispatchable


[~padraic] ping

This should be resolved as of RC1.

If IIRC this was already fixed.

[~timglabisch] Can you verify again?

This was fixed prior to RC1, and a fix for DI was included in RC2. The solution was to require a whitelist of controllers that the controller loader (and DI container) can instantiate; any that fall outside that will be ignored, resulting in a 404.