projects / GitHub / WoltLab / WCF.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 662fc28)
Detect exceptions that erroneously escape the middleware stack
authorTim Düsterhus <duesterhus@woltlab.com>
Thu, 13 Apr 2023 11:53:53 +0000 (13:53 +0200)
committerTim Düsterhus <duesterhus@woltlab.com>
Fri, 14 Apr 2023 11:54:48 +0000 (13:54 +0200)
wcfsetup/install/files/lib/system/request/RequestHandler.class.php patch | blob | blame | history

diff --git a/wcfsetup/install/files/lib/system/request/RequestHandler.class.php b/wcfsetup/install/files/lib/system/request/RequestHandler.class.php
index 0bcd31a915737fdda7c9bd50004abd6de6b278ad..34833bbb8df5a8d227f80ce3f489aedbb87ad541 100644 (file)
--- a/wcfsetup/install/files/lib/system/request/RequestHandler.class.php
+++ b/wcfsetup/install/files/lib/system/request/RequestHandler.class.php
@@ -9,6 +9,7 @@ use Laminas\Diactoros\ServerRequestFilter\FilterUsingXForwardedHeaders;
 use Laminas\HttpHandlerRunner\Emitter\SapiEmitter;
 use Psr\Http\Message\RequestInterface;
 use Psr\Http\Message\ResponseInterface;
+use wcf\http\error\XsrfValidationFailedHandler;
 use wcf\http\LegacyPlaceholderResponse;
 use wcf\http\middleware\AddAcpSecurityHeaders;
 use wcf\http\middleware\CheckForEnterpriseNonOwnerAccess;
@@ -33,7 +34,9 @@ use wcf\http\Pipeline;
 use wcf\system\application\ApplicationHandler;
 use wcf\system\exception\AJAXException;
 use wcf\system\exception\IllegalLinkException;
+use wcf\system\exception\InvalidSecurityTokenException;
 use wcf\system\exception\NamedUserException;
+use wcf\system\exception\PermissionDeniedException;
 use wcf\system\exception\SystemException;
 use wcf\system\SingletonFactory;
 use wcf\system\WCF;
@@ -135,7 +138,14 @@ final class RequestHandler extends SingletonFactory
                     new HandleValinorMappingErrors(),
                 ]);
 
-                $response = $pipeline->process($psrRequest, $this->getActiveRequest());
+                try {
+                    $response = $pipeline->process($psrRequest, $this->getActiveRequest());
+                } catch (IllegalLinkException | PermissionDeniedException | InvalidSecurityTokenException $e) {
+                    throw new \LogicException(\sprintf(
+                        "'%s' escaped from the middleware stack.",
+                        $e::class
+                    ), 0, $e);
+                }
 
                 if ($response instanceof LegacyPlaceholderResponse) {
                     return;
WoltLab Suite Core (previously WoltLab Community Framework)