[RFC|Merged] Request Class

These requests for comments/change have lead to an implemented feature that has been successfully merged into the 3.1/Ascraeus branch. Everything listed in this forum will be available in phpBB 3.1.
User avatar
naderman
Product Manager
Product Manager
Posts: 1727
Joined: Sun Jan 11, 2004 2:11 am
Location: Karlsruhe, Germany
Contact:

[RFC|Merged] Request Class

Post by naderman » Mon Jul 19, 2010 8:23 am

Motivation
During the MOD review process insecure uses of super globals are still found. In phpBB 3.0 super globals are directly accessed in several places because request_var is not powerful enough to handle those parts.

Proposal
There should be a request class providing more mechanisms for dealing with user input than the current request_var. It should be entirely backwards compatible, so code using request_var and isset on super globals continues to work. It should turn super global access into an error. It must be possible to disable this behaviour for integration of 3rd party code that needs access to super globals.

Tracker ticket
Handle user input through a request class providing a more complete mechanism than request_var

Patch in progress
http://github.com/naderman/phpbb3/compa ... uest-class

User avatar
igorw
Registered User
Posts: 500
Joined: Thu Jan 04, 2007 11:47 pm

Re: [RFC|Accepted] Request Class

Post by igorw » Sun Aug 29, 2010 8:34 pm

This patch needs to be adjusted to use autoloading.

What should happen with phpbb_request?

1. rename to phpbb_request_request (eww)
2. rename file to includes/request.php
3. ???

User avatar
igorw
Registered User
Posts: 500
Joined: Thu Jan 04, 2007 11:47 pm

Re: [RFC|Accepted] Request Class

Post by igorw » Mon Aug 30, 2010 9:31 pm

I've done some work on the autoloading as per proposed option 1 here: http://github.com/evil3/phpbb3/commits/ ... uest-class

EDIT: There are still a few locations that access superglobals directly, they also need to be patched.

User avatar
igorw
Registered User
Posts: 500
Joined: Thu Jan 04, 2007 11:47 pm

Re: [RFC|Accepted] Request Class

Post by igorw » Tue Aug 31, 2010 7:49 pm

It turns out the class loader supports resolving phpbb_request to includes/request/request.php, so there is no need for phpbb_request_request.

User avatar
igorw
Registered User
Posts: 500
Joined: Thu Jan 04, 2007 11:47 pm

Re: [RFC|Accepted] Request Class

Post by igorw » Mon Sep 27, 2010 8:55 pm

I have done the integration: http://github.com/igorw/phpbb3/compare/ ... uest-class

Some review/testing would be nice. Some places can probably be simplified, feel free to point them out or submit a patch for them. But make sure that it actually can be changed to something simpler without breaking things.

User avatar
bantu
3.0 Release Manager
3.0 Release Manager
Posts: 557
Joined: Thu Sep 07, 2006 11:22 am
Location: Karlsruhe, Germany
Contact:

Re: [RFC|Accepted] Request Class

Post by bantu » Tue Sep 28, 2010 12:51 pm

igorw wrote:I have done the integration: http://github.com/igorw/phpbb3/compare/ ... uest-class

Some review/testing would be nice. Some places can probably be simplified, feel free to point them out or submit a patch for them. But make sure that it actually can be changed to something simpler without breaking things.
A small thing that I noticed is that the last line has been changed in phpBB/includes/acp/acp_profile.php.

User avatar
igorw
Registered User
Posts: 500
Joined: Thu Jan 04, 2007 11:47 pm

Re: [RFC|Accepted] Request Class

Post by igorw » Tue Sep 28, 2010 1:29 pm

Which is interesting, because the actual file does not contain the newline. But that's just a minor thing anyway.

User avatar
igorw
Registered User
Posts: 500
Joined: Thu Jan 04, 2007 11:47 pm

Re: [RFC|Accepted] Request Class

Post by igorw » Mon Oct 11, 2010 10:51 am

Request class has been merged into develop.

User avatar
bantu
3.0 Release Manager
3.0 Release Manager
Posts: 557
Joined: Thu Sep 07, 2006 11:22 am
Location: Karlsruhe, Germany
Contact:

Re: [RFC|Accepted] Request Class

Post by bantu » Tue Oct 12, 2010 9:55 am

igorw wrote:Request class has been merged into develop.
Could you please look into the PHP Fatal error, it's probably only related to tests.

Code: Select all

afischer@miraculix:/var/www/projects/phpbb3/tests$ phpunit all_tests.php 
PHPUnit 3.4.15 by Sebastian Bergmann.

............................................................  60 / 867
.......................................PHP Fatal error:  Call to a member function variable() on a non-object in /var/www/projects/phpbb3/phpBB/includes/db/dbal.php on line 716
...E.E
1
E..
noloop
E...first

0

x

set
last
EE....E. 120 / 867
.......................IIIIIIIIIII.......................... 180 / 867
............................................................ 240 / 867
............................................................ 300 / 867
............................................................ 360 / 867
............................................................ 420 / 867
............................................................ 480 / 867
............................................................ 540 / 867
............................................................ 600 / 867
............................................

User avatar
igorw
Registered User
Posts: 500
Joined: Thu Jan 04, 2007 11:47 pm

Re: [RFC|Accepted] Request Class

Post by igorw » Tue Oct 12, 2010 2:04 pm

I never got that one. Thanks, fixing.

Post Reply