Commit 4193a826 authored by Brion Vibber's avatar Brion Vibber

Ticket #2796: don't allow arbitrary overriding of the 'action' class and other...

Ticket #2796: don't allow arbitrary overriding of the 'action' class and other parameters pulled from the URL mapper.

This protects against oddities such as manual invocation of the ClientError action, which can spoof error messages.
parent ca55d6c5
......@@ -272,7 +272,11 @@ function main()
return;
}
$args = array_merge($args, $_REQUEST);
// Note the order here: arguments from the URL mapper will
// override request params that have been sent. This ensures
// that for instance an action parameter can't be overridden
// with an arbitrary action class.
$args = array_merge($_REQUEST, $args);
Event::handle('ArgsInitialize', array(&$args));
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment