1
|
|
|
<?php |
2
|
|
|
|
3
|
|
|
use \Common\ContainerMagic; |
4
|
|
|
use \Common\IPropertyContainer; |
5
|
|
|
|
6
|
|
|
class V2PropertyContainer extends ContainerMagic implements IPropertyContainer { |
7
|
|
|
|
8
|
|
|
/** |
9
|
|
|
* Property descriptions |
10
|
|
|
* |
11
|
|
|
* @var array[] |
12
|
|
|
*/ |
13
|
|
|
protected $properties = array(); |
14
|
|
|
|
15
|
|
|
/** |
16
|
|
|
* Array of accessors - getters/setters/etc |
17
|
|
|
* |
18
|
|
|
* Getter is a callable like |
19
|
|
|
* function () use ($that) {} |
20
|
|
|
* or Pimple-like (P_CONTAINER_GETTER_PIMPLE) |
21
|
|
|
* function ($this) {} |
22
|
|
|
* |
23
|
|
|
* Setter is a callable like |
24
|
|
|
* function ($value) use ($that) {} |
25
|
|
|
* |
26
|
|
|
* Importer is a callable like |
27
|
|
|
* function (&$row) use ($this) {} |
28
|
|
|
* |
29
|
|
|
* Exporter is a callable like |
30
|
|
|
* function (&$row) use ($this) {} |
31
|
|
|
* |
32
|
|
|
* @var callable[][] |
33
|
|
|
*/ |
34
|
|
|
protected $accessors; |
35
|
|
|
|
36
|
|
|
public function setProperties($properties) { |
37
|
|
|
$this->properties = $properties; |
38
|
|
|
} |
39
|
|
|
|
40
|
|
|
// TODO - batch assign |
41
|
|
|
public function assignAccessor($varName, $type, $callable) { |
42
|
|
|
if (empty($callable)) { |
43
|
|
|
return; |
44
|
|
|
} |
45
|
|
|
|
46
|
|
|
if (is_callable($callable)) { |
47
|
|
|
$this->accessors[$type][$varName] = $callable; |
48
|
|
|
} else { |
49
|
|
|
throw new Exception('Error assigning callable in ' . get_called_class() . '! Callable typed [' . $type . '] is not a callable or not accessible in the scope'); |
50
|
|
|
} |
51
|
|
|
} |
52
|
|
|
|
53
|
|
|
public function __set($name, $value) { |
54
|
|
|
if(is_callable($value)) { |
55
|
|
|
$this->accessors[$name][P_CONTAINER_GETTER_PIMPLE] = $value; |
56
|
|
|
} elseif (is_callable($this->accessors[$name][P_CONTAINER_SETTER])) { |
57
|
|
|
call_user_func($this->accessors[$name][P_CONTAINER_SETTER], $value); |
|
|
|
|
58
|
|
|
} else { |
59
|
|
|
$this->values[$name] = $value; |
60
|
|
|
} |
61
|
|
|
} |
62
|
|
|
|
63
|
|
|
public function __get($name) { |
64
|
|
|
if (is_callable($this->accessors[$name][P_CONTAINER_GETTER_PIMPLE])) { |
65
|
|
|
return call_user_func($this->accessors[$name][P_CONTAINER_GETTER_PIMPLE], $this); |
|
|
|
|
66
|
|
|
} elseif (is_callable($this->accessors[$name][P_CONTAINER_GETTER])) { |
67
|
|
|
return call_user_func($this->accessors[$name][P_CONTAINER_GETTER]); |
|
|
|
|
68
|
|
|
} else { |
69
|
|
|
return $this->values[$name]; |
70
|
|
|
} |
71
|
|
|
} |
72
|
|
|
|
73
|
|
|
public function __isset($name) { |
74
|
|
|
// TODO - or here already can isset($this->name) ???? |
|
|
|
|
75
|
|
|
$value = $this->$name; |
76
|
|
|
return isset($value); |
77
|
|
|
} |
78
|
|
|
|
79
|
|
|
public function clearProperties() { |
80
|
|
|
foreach ($this->properties as $propertyName => $propertyData) { |
81
|
|
|
unset($this->values[$propertyName]); |
82
|
|
|
} |
83
|
|
|
} |
84
|
|
|
|
85
|
|
|
} |
86
|
|
|
|
$this->accessors[$name][P_CONTAINER_SETTER]
can contain request data and is used in code execution context(s) leading to a potential security vulnerability.1 path for user data to reach this point
$_POST
in includes/general.php on line 258
$value
is assignedin includes/general.php on line 266
in includes/classes/Buddy/BuddyContainer.php on line 81
in includes/classes/Buddy/BuddyModel.php on line 237
$cBuddy->buddy_id
is passed to V2PropertyContainer::__set()in includes/classes/Buddy/BuddyModel.php on line -1
in includes/classes/V2PropertyContainer.php on line 55
in includes/classes/V2PropertyContainer.php on line 57
General Strategies to prevent injection
In general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values:
For numeric data, we recommend to explicitly cast the data: