Permalink
Browse files

fix(web_services): do not leak internal function names via system.api…

….list method

This removes PHP function names from the list generated by the system.api.list.

Fixes #8574
  • Loading branch information...
hypeJunction committed Jun 27, 2015
1 parent 5ff308c commit 9415c4136849028304327e097c84ac707c21d833
Showing with 22 additions and 0 deletions.
  1. +22 −0 mod/web_services/start.php
View
@@ -40,6 +40,8 @@ function ws_init() {
);
elgg_register_plugin_hook_handler('unit_test', 'system', 'ws_unit_test');
elgg_register_plugin_hook_handler('rest:output', 'system.api.list', 'ws_system_api_list_hook');
}
/**
@@ -336,3 +338,23 @@ function ws_unit_test($hook, $type, $value, $params) {
$value[] = dirname(__FILE__) . '/tests/ElggCoreWebServicesApiTest.php';
return $value;
}
/**
* Filters system API list to remove PHP internal function names
*
* @param string $hook "rest:output"
* @param string $type "system.api.list"
* @param array $return API list
* @param array $params Method params
* @return array
*/
function ws_system_api_list_hook($hook, $type, $return, $params) {
if (!empty($return) && is_array($return)) {
foreach($return as $method => $settings) {
unset($return[$method]['function']);
}
}
return $return;
}

0 comments on commit 9415c41

Please sign in to comment.