Edit report at http://bugs.php.net/bug.php?id=52428&edit=1
ID: 52428 Updated by: [email protected] Reported by: tyra3l at gmail dot com Summary: $this isn't immutable Status: Bogus Type: Bug Package: Scripting Engine problem Operating System: all PHP Version: 5.3.3 Block user comment: N New Comment: @dagdamor10: This has nothing to do with exploits at all. It poses no security risk being able to modify the $this variable by circumventing the simple check that is implemented. Previous Comments: ------------------------------------------------------------------------ [2010-07-26 10:51:25] tyra3l at gmail dot com "what about abolishing everything related to safe_mode" safe_mode has been DEPRECATED as of PHP 5.3.0. and will be removed with the next major php version. Tyrael ------------------------------------------------------------------------ [2010-07-26 10:32:24] dagdamor10 at mail dot ru >> If you want you can shoot yourself in your head. Okay, that was plain rude. PHP *should* protect websites from possible exploits, what about abolishing everything related to safe_mode, allowed paths and such? To make a good site, people need good programming language... and good programming language should be accurate in range-checking, resource-protecting etc, instead of leaving all that to every programmer who decide to use it. ------------------------------------------------------------------------ [2010-07-25 18:50:52] tyra3l at gmail dot com Thanks for the clarification. Did I something wrong in the report, or you just copypasted the "Thank you for taking the time to write to us..." part of your comment? Maybe it would be a good thing to add this conclusion to the documentation (reassigning this isn't allowed, because ..., if you try it, it will give you an error "Cannot re-assign this..." [if you really need this, you can do...]) Tyrael ------------------------------------------------------------------------ [2010-07-25 18:39:17] [email protected] Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://www.php.net/manual/ and the instructions on how to report a bug at http://bugs.php.net/how-to-report.php We prevent from mistakes, we don't prevent people from hurting them purposely. If you want you can shoot yourself in your head. ------------------------------------------------------------------------ [2010-07-24 11:36:17] tyra3l at gmail dot com Description: ------------ As some closed bug-reports and the "PHP Fatal error: Cannot re-assign $this" states, the $this should be read-only/inmutable in PHP5. but with some tricks(variable variables mostly), you can walk-around this constraint. See the Test script. I don't know the importance of this restriction, and with reflection you can shoot you in the leg anyway, so maybe this can be left as is. Test script: --------------- <?php error_reporting(E_ALL); $var = new StdClass(); $var->foo = 'bar'; //$this = $var; // PHP Fatal error: Cannot re-assign $this $GLOBALS['this'] = $var; var_dump($this); $var->foo = 'baz'; $foo = 'this'; $$foo = $var; var_dump($this); foo($this); function foo($this){ //global $this; // PHP Fatal error: Cannot re-assign $this // $this = $GLOBALS['var']; // PHP Fatal error: Cannot re-assign $this var_dump($this); $GLOBALS['this']->foo = 'baw'; $$GLOBALS['foo'] = $GLOBALS['this']; var_dump($this); } Expected result: ---------------- PHP Fatal error: Cannot re-assign $this for every attempt to overwrite $this Actual result: -------------- you can set $this in the global scope through $GLOBALS, with argument in functions, and with variable variables in everywhere. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/bug.php?id=52428&edit=1
