Fixed bug #13959: Core autoloader should accept class names only (could lead to remot...
[Packages/TYPO3.CMS.git] / t3lib / class.t3lib_autoloader.php
index e20f431..280af5a 100644 (file)
@@ -107,7 +107,11 @@ class t3lib_autoloader {
                        t3lib_div::requireFile($classPath);
                } else {
                        try {
-                               spl_autoload($className);
+                               // Regular expression for a valid classname taken from
+                               // http://www.php.net/manual/en/language.oop5.basic.php
+                               if (preg_match('/^[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*$/', $className)) {
+                                       spl_autoload($className);
+                               }
                        } catch (LogicException $exception) {
                        }
                }