Bug #57410
initializeAction() can be called as controller action from request
| Status: | Resolved | Start date: | 2014-03-28 | |
|---|---|---|---|---|
| Priority: | Should have | Due date: | ||
| Assigned To: | Bastian Waidelich | % Done: | 100% |
|
| Category: | MVC | |||
| Target version: | - | |||
| PHP Version: | Complexity: | |||
| Has patch: | No | Affected Flow version: | Flow 2.0.0 |
Description
The following request can be called and without restriction:
vendor.mypackage/standard/initialize
Results in "Template Initialize.html could not be loaded"
It seems to me that initializeAction should only be used internally in controller and should not be callable from request.
bug-57410.patch
- Patch
(928 Bytes)
Associated revisions
[BUGFIX] Prevent invocation of protected controller methods
Currently any method with an "Action" suffix is callable via the
default request handling if a corresponding route exists.
For the fallback routes provided by Flow this is the case for the
``initialize*Action()`` methods that are called before the actual
action invocation.
This change adds a check for the visibility of an action method
and only allows invocation of public methods.
Change-Id: I076a56118b5fad112adf0dba0dee7b4711cfe903
Fixes: #57410
Releases: master, 2.2, 2.1
[BUGFIX] Prevent invocation of protected controller methods
Currently any method with an "Action" suffix is callable via the
default request handling if a corresponding route exists.
For the fallback routes provided by Flow this is the case for the
``initialize*Action()`` methods that are called before the actual
action invocation.
This change adds a check for the visibility of an action method
and only allows invocation of public methods.
Change-Id: I076a56118b5fad112adf0dba0dee7b4711cfe903
Fixes: #57410
Releases: master, 2.2, 2.1
[BUGFIX] Prevent invocation of protected controller methods
Currently any method with an "Action" suffix is callable via the
default request handling if a corresponding route exists.
For the fallback routes provided by Flow this is the case for the
``initialize*Action()`` methods that are called before the actual
action invocation.
This change adds a check for the visibility of an action method
and only allows invocation of public methods.
Change-Id: I076a56118b5fad112adf0dba0dee7b4711cfe903
Fixes: #57410
Releases: master, 2.2, 2.1
History
#2 Updated by Alexander Berl over 1 year ago
Wouldn't it maybe make sense to restrict it to public methods instead of hardcoding a special internal methodname (that might change in the future). Would need proper testing for performance, but it would be the more generic solution.
#3 Updated by Bastian Waidelich over 1 year ago
- Status changed from New to Needs Feedback
Alexander Berl wrote:
Wouldn't it maybe make sense to restrict it to public methods instead of hardcoding a special internal methodname (that might change in the future). Would need proper testing for performance, but it would be the more generic solution.
I agree! Also the approach would not fix the problem for the action specific initialize-methods that you can implement (e.g. "initializeIndexAction()") .
I just gave this a quick try and the following fix could work:
In the ActionController change 3 additional lines:
1 protected function resolveActionMethodName() { 2 // ..... 3 if (!$this->reflectionService->isMethodPublic(get_class($this), $actionMethodName)) { 4 throw new NoSuchActionException(sprintf('The action "%s" in controller "%s" must be public!', $actionMethodName, get_class($this)), 1186669086); 5 } 6 // ... 7 }
Anyone feel free to push this to gerrit (preferably with a test).
#4 Updated by Bastian Waidelich over 1 year ago
- Category set to MVC
- Status changed from Needs Feedback to Accepted
- Assigned To set to Bastian Waidelich
#5 Updated by Gerrit Code Review over 1 year ago
- Status changed from Accepted to Under Review
Patch set 1 for branch master of project Packages/TYPO3.Flow has been pushed to the review server.
It is available at https://review.typo3.org/28979
#6 Updated by Bastian Waidelich over 1 year ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 90132ee42aa87c6d97c2bcbb5385bdc5b2fe9ddf.
#7 Updated by Gerrit Code Review over 1 year ago
- Status changed from Resolved to Under Review
Patch set 1 for branch 2.2 of project Packages/TYPO3.Flow has been pushed to the review server.
It is available at https://review.typo3.org/29076
#8 Updated by Gerrit Code Review over 1 year ago
Patch set 1 for branch 2.1 of project Packages/TYPO3.Flow has been pushed to the review server.
It is available at https://review.typo3.org/29080
#9 Updated by Bastian Waidelich over 1 year ago
- Status changed from Under Review to Resolved
Applied in changeset 22212565c6a42a0387f354333b4742dac75138d1.