Edit report at https://bugs.php.net/bug.php?id=65352&edit=1
ID: 65352
Comment by: mail+php at requinix dot net
Reported by: seyferseed at mail dot ru
Summary: Method Closure::bind() can access private property
of object
Status: Open
Type: Bug
Package: Class/Object related
Operating System: Linux
PHP Version: 5.4.17
Block user comment: N
Private report: N
New Comment:
As noted in Closure::bind(),
"public static Closure Closure::bind ( Closure $closure , object $newthis [,
mixed
$newscope = 'static' ] )
newscope
The class scope to which associate the closure is to be associated, or 'static'
to
keep the current one. If an object is given, the type of the object will be
used
instead. This determines the visibility of protected and private methods of the
bound object."
You changed the scope of the function to be that of inside $foo. Naturally it
would have access to private members. If you don't want it to do that then omit
newscope=$object.
Previous Comments:
------------------------------------------------------------------------
[2013-07-29 04:39:42] seyferseed at mail dot ru
Description:
------------
Method Closure::bind() can access private property of object.
And modify it by reference. It is a violation of encapsulation.
See script for example. http://3v4l.org/JE0eX
Test script:
---------------
<?php
class Foo
{
private $bar = 'baz';
}
$reader = function & ($object, $property) {
$value = & Closure::bind(function & () use ($property) {
return $this->$property;
}, $object, $object)->__invoke();
return $value;
};
$foo = new Foo();
$bar = & $reader($foo, 'bar');
$bar = 'tab';
var_dump($foo);
Expected result:
----------------
Fatal error: Cannot access private property Foo::$bar in /in/JE0eX on line 8
Actual result:
--------------
Output for 5.4.0 - 5.5.1
object(Foo)#2 (1) {
["bar":"Foo":private]=>
&string(3) "tab"
}
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=65352&edit=1
