RouteMatch vs controllers config

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

RouteMatch vs controllers config

Gregory

If the RouteMatch specifies the controller for that route, why is it necessary to check to see if it is in the 'controllers' config? Could it just be retrieved from the service manager config instead?


--
Greg
Reply | Threaded
Open this post in threaded view
|

Re: RouteMatch vs controllers config

Marco Pivetta
The "controllers" config _is_ a service manager config (it's a plugin manager dedicated to Zend\Stdlib\DispatchableInterface generation only).



On 14 February 2014 00:46, Greg <[hidden email]> wrote:

If the RouteMatch specifies the controller for that route, why is it necessary to check to see if it is in the 'controllers' config? Could it just be retrieved from the service manager config instead?


--
Greg

Reply | Threaded
Open this post in threaded view
|

Re: RouteMatch vs controllers config

Gregory
ok thanks.


On Thu, Feb 13, 2014 at 9:34 PM, Marco Pivetta <[hidden email]> wrote:
The "controllers" config _is_ a service manager config (it's a plugin manager dedicated to Zend\Stdlib\DispatchableInterface generation only).



On 14 February 2014 00:46, Greg <[hidden email]> wrote:

If the RouteMatch specifies the controller for that route, why is it necessary to check to see if it is in the 'controllers' config? Could it just be retrieved from the service manager config instead?


--
Greg




--
Greg
Reply | Threaded
Open this post in threaded view
|

Re: RouteMatch vs controllers config

weierophinney
Administrator
In reply to this post by Marco Pivetta
On Thu, Feb 13, 2014 at 9:34 PM, Marco Pivetta <[hidden email]> wrote:
> The "controllers" config _is_ a service manager config (it's a plugin
> manager dedicated to Zend\Stdlib\DispatchableInterface generation only).

And to clarify further... This separation of controllers from the
application-level services is to prevent a potential security vector
whereby somebody has a "/:controller" segment in their route (BAD,
BAD, BAD! NEVER DO THIS!), and a malicious user specifies an
application-level service that has side effects. As an example,
"/Foo%5CSome%5CTableGatewayThatAutomaticallyUpdatesOnInstantiation".

Additionally, as Marco notes, by having the controllers managed by
their own plugin manager, we can ensure that we have valid controllers
only -- i.e., those that implement DispatchableInterface -- as this is
built in to the plugin manager implementations.

> On 14 February 2014 00:46, Greg <[hidden email]> wrote:
>>
>>
>> If the RouteMatch specifies the controller for that route, why is it
>> necessary to check to see if it is in the 'controllers' config? Could it
>> just be retrieved from the service manager config instead?

--
Matthew Weier O'Phinney
Project Lead            | [hidden email]
Zend Framework          | http://framework.zend.com/
PGP key: http://framework.zend.com/zf-matthew-pgp-key.asc
Reply | Threaded
Open this post in threaded view
|

Re: RouteMatch vs controllers config

Gregory
Thanks for /:controller info. I'm now playing with the idea of the controller name being the "name" of the event, route match would be the source.


On Tue, Feb 18, 2014 at 11:15 AM, Matthew Weier O'Phinney <[hidden email]> wrote:
On Thu, Feb 13, 2014 at 9:34 PM, Marco Pivetta <[hidden email]> wrote:
> The "controllers" config _is_ a service manager config (it's a plugin
> manager dedicated to Zend\Stdlib\DispatchableInterface generation only).

And to clarify further... This separation of controllers from the
application-level services is to prevent a potential security vector
whereby somebody has a "/:controller" segment in their route (BAD,
BAD, BAD! NEVER DO THIS!), and a malicious user specifies an
application-level service that has side effects. As an example,
"/Foo%5CSome%5CTableGatewayThatAutomaticallyUpdatesOnInstantiation".

Additionally, as Marco notes, by having the controllers managed by
their own plugin manager, we can ensure that we have valid controllers
only -- i.e., those that implement DispatchableInterface -- as this is
built in to the plugin manager implementations.

> On 14 February 2014 00:46, Greg <[hidden email]> wrote:
>>
>>
>> If the RouteMatch specifies the controller for that route, why is it
>> necessary to check to see if it is in the 'controllers' config? Could it
>> just be retrieved from the service manager config instead?

--
Matthew Weier O'Phinney
Project Lead            | [hidden email]
Zend Framework          | http://framework.zend.com/
PGP key: http://framework.zend.com/zf-matthew-pgp-key.asc



--
Greg
Reply | Threaded
Open this post in threaded view
|

Re: RouteMatch vs controllers config

Gregory
Ocramius, if callables are also allowed to be dispatched, wouldn't that open up the problem?


On Tue, Feb 18, 2014 at 12:46 PM, Greg <[hidden email]> wrote:
Thanks for /:controller info. I'm now playing with the idea of the controller name being the "name" of the event, route match would be the source.


On Tue, Feb 18, 2014 at 11:15 AM, Matthew Weier O'Phinney <[hidden email]> wrote:
On Thu, Feb 13, 2014 at 9:34 PM, Marco Pivetta <[hidden email]> wrote:
> The "controllers" config _is_ a service manager config (it's a plugin
> manager dedicated to Zend\Stdlib\DispatchableInterface generation only).

And to clarify further... This separation of controllers from the
application-level services is to prevent a potential security vector
whereby somebody has a "/:controller" segment in their route (BAD,
BAD, BAD! NEVER DO THIS!), and a malicious user specifies an
application-level service that has side effects. As an example,
"/Foo%5CSome%5CTableGatewayThatAutomaticallyUpdatesOnInstantiation".

Additionally, as Marco notes, by having the controllers managed by
their own plugin manager, we can ensure that we have valid controllers
only -- i.e., those that implement DispatchableInterface -- as this is
built in to the plugin manager implementations.

> On 14 February 2014 00:46, Greg <[hidden email]> wrote:
>>
>>
>> If the RouteMatch specifies the controller for that route, why is it
>> necessary to check to see if it is in the 'controllers' config? Could it
>> just be retrieved from the service manager config instead?

--
Matthew Weier O'Phinney
Project Lead            | [hidden email]
Zend Framework          | http://framework.zend.com/
PGP key: http://framework.zend.com/zf-matthew-pgp-key.asc



--
Greg



--
Greg
Reply | Threaded
Open this post in threaded view
|

Re: RouteMatch vs controllers config

Marco Pivetta
On 18 February 2014 23:52, Greg <[hidden email]> wrote:
Ocramius, if callables are also allowed to be dispatched, wouldn't that open up the problem?

Not really, no. The problem with the security issue is that it was possible to basically instantiate anything without any check. We got rid of that before 2.0.0.
The callables would still need to come from the controller plugin manager.