diff options
| author | Marc Alexander <admin@m-a-styles.de> | 2014-08-09 01:46:39 +0200 |
|---|---|---|
| committer | Marc Alexander <admin@m-a-styles.de> | 2014-08-09 01:46:39 +0200 |
| commit | deaa0a8c758acb14a1944c5d3c1fa24364f503c4 (patch) | |
| tree | 43fc7b32e8a2f91c079cfa60406cb229304ee20c /phpBB | |
| parent | 13ccb352ce5190535f271cacbfee66e2b890b22f (diff) | |
| parent | e6f43f5974e5f55776978fc22712b1dd29e83f9e (diff) | |
| download | forums-deaa0a8c758acb14a1944c5d3c1fa24364f503c4.tar forums-deaa0a8c758acb14a1944c5d3c1fa24364f503c4.tar.gz forums-deaa0a8c758acb14a1944c5d3c1fa24364f503c4.tar.bz2 forums-deaa0a8c758acb14a1944c5d3c1fa24364f503c4.tar.xz forums-deaa0a8c758acb14a1944c5d3c1fa24364f503c4.zip | |
Merge pull request #2841 from nickvergessen/ticket/security-155
[ticket/security-155] Cast the types of string values in the controller routes
Diffstat (limited to 'phpBB')
| -rw-r--r-- | phpBB/phpbb/controller/resolver.php | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/phpBB/phpbb/controller/resolver.php b/phpBB/phpbb/controller/resolver.php index efab34b701..948a6a218c 100644 --- a/phpBB/phpbb/controller/resolver.php +++ b/phpBB/phpbb/controller/resolver.php @@ -41,6 +41,12 @@ class resolver implements ControllerResolverInterface protected $template; /** + * Request type cast helper object + * @var \phpbb\request\type_cast_helper + */ + protected $type_cast_helper; + + /** * phpBB root path * @var string */ @@ -59,6 +65,7 @@ class resolver implements ControllerResolverInterface $this->user = $user; $this->container = $container; $this->template = $template; + $this->type_cast_helper = new \phpbb\request\type_cast_helper(); $this->phpbb_root_path = $phpbb_root_path; } @@ -138,7 +145,16 @@ class resolver implements ControllerResolverInterface { if (array_key_exists($param->name, $attributes)) { - $arguments[] = $attributes[$param->name]; + if (is_string($attributes[$param->name])) + { + $value = $attributes[$param->name]; + $this->type_cast_helper->set_var($value, $attributes[$param->name], 'string', true, false); + $arguments[] = $value; + } + else + { + $arguments[] = $attributes[$param->name]; + } } else if ($param->getClass() && $param->getClass()->isInstance($request)) { |