[RFC|Merged] Request Class

These requests for comments/change have lead to an implemented feature that has been successfully merged into the 3.1/Ascraeus branch. Everything listed in this forum will be available in phpBB 3.1.
User avatar
naderman
Consultant
Posts: 1727
Joined: Sun Jan 11, 2004 2:11 am
Location: Berlin, Germany
Contact:

[RFC|Merged] Request Class

Post by naderman »

Motivation
During the MOD review process insecure uses of super globals are still found. In phpBB 3.0 super globals are directly accessed in several places because request_var is not powerful enough to handle those parts.

Proposal
There should be a request class providing more mechanisms for dealing with user input than the current request_var. It should be entirely backwards compatible, so code using request_var and isset on super globals continues to work. It should turn super global access into an error. It must be possible to disable this behaviour for integration of 3rd party code that needs access to super globals.

Tracker ticket
Handle user input through a request class providing a more complete mechanism than request_var

Patch in progress
http://github.com/naderman/phpbb3/compa ... uest-class

igorw
Registered User
Posts: 500
Joined: Thu Jan 04, 2007 11:47 pm

Re: [RFC|Accepted] Request Class

Post by igorw »

This patch needs to be adjusted to use autoloading.

What should happen with phpbb_request?

1. rename to phpbb_request_request (eww)
2. rename file to includes/request.php
3. ???

igorw
Registered User
Posts: 500
Joined: Thu Jan 04, 2007 11:47 pm

Re: [RFC|Accepted] Request Class

Post by igorw »

I've done some work on the autoloading as per proposed option 1 here: http://github.com/evil3/phpbb3/commits/ ... uest-class

EDIT: There are still a few locations that access superglobals directly, they also need to be patched.

igorw
Registered User
Posts: 500
Joined: Thu Jan 04, 2007 11:47 pm

Re: [RFC|Accepted] Request Class

Post by igorw »

It turns out the class loader supports resolving phpbb_request to includes/request/request.php, so there is no need for phpbb_request_request.

igorw
Registered User
Posts: 500
Joined: Thu Jan 04, 2007 11:47 pm

Re: [RFC|Accepted] Request Class

Post by igorw »

I have done the integration: http://github.com/igorw/phpbb3/compare/ ... uest-class

Some review/testing would be nice. Some places can probably be simplified, feel free to point them out or submit a patch for them. But make sure that it actually can be changed to something simpler without breaking things.

User avatar
bantu
3.0 Release Manager
3.0 Release Manager
Posts: 557
Joined: Thu Sep 07, 2006 11:22 am
Location: Karlsruhe, Germany
Contact:

Re: [RFC|Accepted] Request Class

Post by bantu »

igorw wrote:I have done the integration: http://github.com/igorw/phpbb3/compare/ ... uest-class

Some review/testing would be nice. Some places can probably be simplified, feel free to point them out or submit a patch for them. But make sure that it actually can be changed to something simpler without breaking things.
A small thing that I noticed is that the last line has been changed in phpBB/includes/acp/acp_profile.php.

igorw
Registered User
Posts: 500
Joined: Thu Jan 04, 2007 11:47 pm

Re: [RFC|Accepted] Request Class

Post by igorw »

Which is interesting, because the actual file does not contain the newline. But that's just a minor thing anyway.

igorw
Registered User
Posts: 500
Joined: Thu Jan 04, 2007 11:47 pm

Re: [RFC|Accepted] Request Class

Post by igorw »

Request class has been merged into develop.

User avatar
bantu
3.0 Release Manager
3.0 Release Manager
Posts: 557
Joined: Thu Sep 07, 2006 11:22 am
Location: Karlsruhe, Germany
Contact:

Re: [RFC|Accepted] Request Class

Post by bantu »

igorw wrote:Request class has been merged into develop.
Could you please look into the PHP Fatal error, it's probably only related to tests.

Code: Select all

afischer@miraculix:/var/www/projects/phpbb3/tests$ phpunit all_tests.php 
PHPUnit 3.4.15 by Sebastian Bergmann.

............................................................  60 / 867
.......................................PHP Fatal error:  Call to a member function variable() on a non-object in /var/www/projects/phpbb3/phpBB/includes/db/dbal.php on line 716
...E.E
1
E..
noloop
E...first

0

x

set
last
EE....E. 120 / 867
.......................IIIIIIIIIII.......................... 180 / 867
............................................................ 240 / 867
............................................................ 300 / 867
............................................................ 360 / 867
............................................................ 420 / 867
............................................................ 480 / 867
............................................................ 540 / 867
............................................................ 600 / 867
............................................

igorw
Registered User
Posts: 500
Joined: Thu Jan 04, 2007 11:47 pm

Re: [RFC|Accepted] Request Class

Post by igorw »

I never got that one. Thanks, fixing.

Post Reply