I'm writing a class that allows you to bridge HTTP requests with class instances using JSON for data, without any implementation in the class you're bridging to. Basically this is how it works:\[code\]// This is just an ordinary class.$service = new WeatherService();$jhi = new JsonHttpInterface($service);$jhi->exec();\[/code\]The \[code\]JsonHttpInterface\[/code\] class will check the \[code\]PATH_INFO\[/code\] of the request and call that method, applying any query string parameters as arguments.\[code\]http://example.com/the_above.php/getWeather?state="CA"\[/code\] would translate to
\[code\]$service->getWeather("CA")\[/code\] (assuming that the name of the first argument is \[code\]$state\[/code\]).This is how the method is found and called:\[code\]$method = new ReflectionMethod(get_class($this->instance), $action);/*... code that matches query string values to arguments of above method...*/$response = $method->invokeArgs($this->instance, $args);\[/code\]Now what I'm wondering is: what are the vulnerabilities of such a system. I've been pretty lenient on error checking, relying on PHP to throw errors when attempting to call non-existent or private/protected methods.
\[code\]$service->getWeather("CA")\[/code\] (assuming that the name of the first argument is \[code\]$state\[/code\]).This is how the method is found and called:\[code\]$method = new ReflectionMethod(get_class($this->instance), $action);/*... code that matches query string values to arguments of above method...*/$response = $method->invokeArgs($this->instance, $args);\[/code\]Now what I'm wondering is: what are the vulnerabilities of such a system. I've been pretty lenient on error checking, relying on PHP to throw errors when attempting to call non-existent or private/protected methods.
- Is it possible to cheat the system?
- Is it possible to pass in an invalid method name that does something other than throw an error?
- Is it possible to refer to a method in a base class, or any other class?