From 4193a826d3500c1c8771e2a55ca197011fe637c8 Mon Sep 17 00:00:00 2001
From: Brion Vibber <brion@status.net>
Date: Fri, 19 Nov 2010 15:30:52 -0800
Subject: [PATCH] Ticket #2796: don't allow arbitrary overriding of the
 'action' class and other parameters pulled from the URL mapper.

This protects against oddities such as manual invocation of the ClientError action, which can spoof error messages.
---
 index.php | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/index.php b/index.php
index 9501e2275d..6079d1f2c4 100644
--- a/index.php
+++ b/index.php
@@ -272,7 +272,11 @@ function main()
         return;
     }
 
-    $args = array_merge($args, $_REQUEST);
+    // Note the order here: arguments from the URL mapper will
+    // override request params that have been sent. This ensures
+    // that for instance an action parameter can't be overridden
+    // with an arbitrary action class.
+    $args = array_merge($_REQUEST, $args);
 
     Event::handle('ArgsInitialize', array(&$args));