Ticket #2796: don't allow arbitrary overriding of the 'action' class and other parame...

This protects against oddities such as manual invocation of the ClientError action, which can spoof error messages.

diff --git a/index.php b/index.php
index 9501e2275da6d610b9263bcb5a9e911e721d64de..6079d1f2c414db1593babff1ed935edcbba913ed 100644 (file)
--- a/index.php
+++ b/index.php
@@ -272,7 +272,11 @@ function main()
         return;
     }
 
-    $args = array_merge($args, $_REQUEST);
+    // Note the order here: arguments from the URL mapper will
+    // override request params that have been sent. This ensures
+    // that for instance an action parameter can't be overridden
+    // with an arbitrary action class.
+    $args = array_merge($_REQUEST, $args);
 
     Event::handle('ArgsInitialize', array(&$args));