Edit report at https://bugs.php.net/bug.php?id=55449&edit=1
ID: 55449
User updated by: 0gb dot us at 0gb dot us
Reported by: 0gb dot us at 0gb dot us
Summary: Static private and static protected properties have
a backdoor.
Status: Bogus
Type: Bug
Package: Class/Object related
Operating System: Mac OS X
PHP Version: 5.3.6
Block user comment: N
Private report: N
New Comment:
Opps, I posted that note before I saw your response. You were quick! Thanks for
the information, and have a nice day.
Previous Comments:
------------------------------------------------------------------------
[2011-08-18 14:47:51] 0gb dot us at 0gb dot us
I just realized a smaller script would have gotten the point across better.
Sorry.
<?php class exampleclass {
private static $staticprivate = "test #0";
protected static $staticprotected = "test #1"; }
$test0 = "\0exampleclass\0staticprivate";
$test1 = "\0*\0staticprotected";
echo exampleclass::$$test0;//test #0
echo exampleclass::$$test1;//test #1
------------------------------------------------------------------------
[2011-08-18 14:41:48] [email protected]
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php
If one shoots oneself in the foot that's ok. If people really want to bypass
such checks we don't prevent them. They aren't a security thing or something
but a help to structure and isolate code. For reading out there are things like
var_dump() which give access to them, too.
------------------------------------------------------------------------
[2011-08-18 14:16:12] 0gb dot us at 0gb dot us
Description:
------------
I use a static private property in one of my classes, so objects in that class
can track data, while keeping it away from other parts of the script. However,
I found you can exploit a backdoor to reach the property from places that
should be outside the property's visibility, by using variable variables. Upon
further testing, I found the same backdoor exists for static protected
properties. Using this backdoor, you can get or set the property's value.
Non-static properties seem to be unaffected by this bug.
It doesn't seem particularly dangerous, but I thought I'd report it just the
same.
Test script:
---------------
<?php class exampleclass {
private static $staticprivate = "test #0";
protected static $staticprotected = "test #1";
private $private = "test #2";
protected $protected = "test #3"; }
$test0 = "\0exampleclass\0staticprivate";
$test1 = "\0*\0staticprotected";
$test2 = "\0exampleclass\0private";
$test3 = "\0*\0protected";
$object = new exampleclass;
echo exampleclass::$$test0;//test #0
echo exampleclass::$$test1;//test #1
echo $object->$test2;//<b>Fatal error</b>: Cannot access property started with
'\0' in ...
echo $object->$test3;//<b>Fatal error</b>: Cannot access property started with
'\0' in ...
echo $object->{"\0*\0private"};//<b>Fatal error</b>: Cannot access property
started with '\0' in ...
echo $object->{"\0*\0protected"};//<b>Fatal error</b>: Cannot access property
started with '\0' in ...
Expected result:
----------------
All six echo()s should cause a fatal error.
Actual result:
--------------
Only the last four echo()s cause a fatal error.
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=55449&edit=1
