ZF2-96: Locator Dispatch Security

Issue Type: Improvement Created: 2011-11-01T22:47:11.000+0000 Last Updated: 2012-08-20T13:58:44.000+0000 Status: Resolved Fix version(s): Reporter: Tim Glabisch (timglabisch) Assignee: Matthew Weier O'Phinney (matthew) Tags: - Zend\Mvc

  • Dispatch
  • Locator
  • Security

Related issues: Attachments:


i dont like this row:…

try { controller = $locator->get($controllerName); } catch (ClassNotFoundException $exception) {

i use a selfwritten DiC, if the ->get function is called, my DiC build a graph and create all (nested) instances - so all constructors are called. i dont want the frontend-user to be able to call the constructors of the classes managed in the DiC.

may an alternative would be a function like $locator->getClassname() and using reflection to figure out if the class implements Dispatchable


Posted by Maks 3w (maks3w) on 2012-07-26T20:04:24.000+0000

[~padraic] ping

Posted by Matthew Weier O'Phinney (matthew) on 2012-07-26T20:43:01.000+0000

This should be resolved as of RC1.

Posted by Maks 3w (maks3w) on 2012-08-18T08:57:20.000+0000

If IIRC this was already fixed.

[~timglabisch] Can you verify again?

Posted by Matthew Weier O'Phinney (matthew) on 2012-08-20T13:58:44.000+0000

This was fixed prior to RC1, and a fix for DI was included in RC2. The solution was to require a whitelist of controllers that the controller loader (and DI container) can instantiate; any that fall outside that will be ignored, resulting in a 404.

Have you found an issue?

See the Overview section for more details.


© 2006-2018 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.