Motivation
During the MOD review process insecure uses of super globals are still found. In phpBB 3.0 super globals are directly accessed in several places because request_var is not powerful enough to handle those parts.
Proposal
There should be a request class providing more mechanisms for dealing with user input than the current request_var. It should be entirely backwards compatible, so code using request_var and isset on super globals continues to work. It should turn super global access into an error. It must be possible to disable this behaviour for integration of 3rd party code that needs access to super globals.
Tracker ticket
Handle user input through a request class providing a more complete mechanism than request_var
Patch in progress
http://github.com/naderman/phpbb3/compa ... uest-class
[RFC|Merged] Request Class
Re: [RFC|Accepted] Request Class
This patch needs to be adjusted to use autoloading.
What should happen with phpbb_request?
1. rename to phpbb_request_request (eww)
2. rename file to includes/request.php
3. ???
What should happen with phpbb_request?
1. rename to phpbb_request_request (eww)
2. rename file to includes/request.php
3. ???
Re: [RFC|Accepted] Request Class
I've done some work on the autoloading as per proposed option 1 here: http://github.com/evil3/phpbb3/commits/ ... uest-class
EDIT: There are still a few locations that access superglobals directly, they also need to be patched.
EDIT: There are still a few locations that access superglobals directly, they also need to be patched.
Re: [RFC|Accepted] Request Class
It turns out the class loader supports resolving phpbb_request to includes/request/request.php, so there is no need for phpbb_request_request.
Re: [RFC|Accepted] Request Class
I have done the integration: http://github.com/igorw/phpbb3/compare/ ... uest-class
Some review/testing would be nice. Some places can probably be simplified, feel free to point them out or submit a patch for them. But make sure that it actually can be changed to something simpler without breaking things.
Some review/testing would be nice. Some places can probably be simplified, feel free to point them out or submit a patch for them. But make sure that it actually can be changed to something simpler without breaking things.
- bantu
- 3.0 Release Manager
- Posts: 557
- Joined: Thu Sep 07, 2006 11:22 am
- Location: Karlsruhe, Germany
- Contact:
Re: [RFC|Accepted] Request Class
A small thing that I noticed is that the last line has been changed in phpBB/includes/acp/acp_profile.php.igorw wrote:I have done the integration: http://github.com/igorw/phpbb3/compare/ ... uest-class
Some review/testing would be nice. Some places can probably be simplified, feel free to point them out or submit a patch for them. But make sure that it actually can be changed to something simpler without breaking things.
Re: [RFC|Accepted] Request Class
Which is interesting, because the actual file does not contain the newline. But that's just a minor thing anyway.
Re: [RFC|Accepted] Request Class
Request class has been merged into develop.
- bantu
- 3.0 Release Manager
- Posts: 557
- Joined: Thu Sep 07, 2006 11:22 am
- Location: Karlsruhe, Germany
- Contact:
Re: [RFC|Accepted] Request Class
Could you please look into the PHP Fatal error, it's probably only related to tests.igorw wrote:Request class has been merged into develop.
Code: Select all
afischer@miraculix:/var/www/projects/phpbb3/tests$ phpunit all_tests.php
PHPUnit 3.4.15 by Sebastian Bergmann.
............................................................ 60 / 867
.......................................PHP Fatal error: Call to a member function variable() on a non-object in /var/www/projects/phpbb3/phpBB/includes/db/dbal.php on line 716
...E.E
1
E..
noloop
E...first
0
x
set
last
EE....E. 120 / 867
.......................IIIIIIIIIII.......................... 180 / 867
............................................................ 240 / 867
............................................................ 300 / 867
............................................................ 360 / 867
............................................................ 420 / 867
............................................................ 480 / 867
............................................................ 540 / 867
............................................................ 600 / 867
............................................
Re: [RFC|Accepted] Request Class
I never got that one. Thanks, fixing.