Edit report at https://bugs.php.net/bug.php?id=55475&edit=1
ID: 55475
Comment by: martijn dot niji at gmail dot com
Reported by: mads at gartneriet dot dk
Summary: is_a() triggers autoloader
Status: Closed
Type: Bug
Package: Scripting Engine problem
PHP Version: 5.3.7
Assigned To: dmitry
Block user comment: N
Private report: N
CVE-ID: 2011-3379
New Comment:
I must agree with the people who say that is_a('stdClass', 'stdClass') should
not return true.
The is_a() function is intended as a function that checks a certain condition
is true, that condition being that a certain variable/object is of a certain
type/class.
Having is_a() try to automatically load a class by calling autoload is bad
behaviour at best and a code breaking security flaw at worst.
Previous Comments:
------------------------------------------------------------------------
[2012-07-24 23:39:01] [email protected]
Automatic comment on behalf of stas
Revision:
http://git.php.net/?p=php-src.git;a=commit;h=10f20585fcbd524016e439c17bf01a0fd5191107
Log: fix bug #55475 - implement is_a BC solution
------------------------------------------------------------------------
[2012-07-02 10:30:29] rmc1134 at gmail dot com
I don't get it: why should is_a() accept a string as its first argument?
This function is supposed to be a check on AN OBJECT and is_a('stdClass',
'stdClass') SHOULD NOT EVER RETURN any truthy value.
Calling __autoload() to check whether some string might be some object is
something a programmer should do, not the language.
------------------------------------------------------------------------
[2012-04-18 09:47:55] [email protected]
Automatic comment on behalf of stas
Revision:
http://git.php.net/?p=php-src.git;a=commit;h=10f20585fcbd524016e439c17bf01a0fd5191107
Log: fix bug #55475 - implement is_a BC solution
------------------------------------------------------------------------
[2012-01-09 08:27:48] counterpoint at aliro dot org
It's worrying that something that appears to have been accidentally introduced
is then justified as how things should work. Little attention seems to be paid
to how people may have been using the mechanism that has changed. The whole
thrust in this area was for is_a to test something that is supposed to be an
instance. Indeed, the at one time intended replacement for is_a is called
"instanceof" and a string is not an instance of anything. Changing an
operation called "instanceof" to accept a class name ahead of the operator
would seem perverse in the extreme. Clearly the altered behavior of is_a may
break any autoloader that assumes that it will only ever receive strings that
can be assumed to be class names. In particular, consider the common case
where a set of class names can be mapped to a set of file names: in this
situation, it is not unreasonable for the autoloader to terminate immediately
if it receives a class name that contains ".." because this is very likely a
hack attempt.
------------------------------------------------------------------------
[2011-11-09 05:27:49] [email protected]
This bug has been fixed in SVN.
Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
For Windows:
http://windows.php.net/snapshots/
Thank you for the report, and for helping us make PHP better.
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
https://bugs.php.net/bug.php?id=55475
--
Edit this bug report at https://bugs.php.net/bug.php?id=55475&edit=1
