[PHP-BUG] Bug #62789 [NEW]: Autoloaders are invoked with invalid class names
From: drak at zikula dot org Operating system: PHP version: 5.3.15 Package: SPL related Bug Type: Bug Bug description:Autoloaders are invoked with invalid class names Description: It is possible to invoke class autoloaders with invalid class names leading to potential security issues. Classes can contain alphaumeric, underscore and backslash characters. However, code like: $foo = new $class where $class might contain any arbitrary string will cause the autoloader stack to be called even if the $class variable contained invalid characters for a class name. This could lead to various file inclusion issues as detailed in http://drak3.devmx.de/blog/2012/08/08/autoloaded-remote-file-inclusion/ However, it is not reasonable for classloaders to validate the class name passed to it via PHP for valid classname characters. Doing so would be an incredible burden on performance ever increasing with the size of the autoloader stack. I suggest that PHP validate the characters of the class before deciding to call the autoloader stack or not. -- Edit bug report at https://bugs.php.net/bug.php?id=62789&edit=1 -- Try a snapshot (PHP 5.4): https://bugs.php.net/fix.php?id=62789&r=trysnapshot54 Try a snapshot (PHP 5.3): https://bugs.php.net/fix.php?id=62789&r=trysnapshot53 Try a snapshot (trunk): https://bugs.php.net/fix.php?id=62789&r=trysnapshottrunk Fixed in SVN: https://bugs.php.net/fix.php?id=62789&r=fixed Fixed in SVN and need be documented: https://bugs.php.net/fix.php?id=62789&r=needdocs Fixed in release: https://bugs.php.net/fix.php?id=62789&r=alreadyfixed Need backtrace: https://bugs.php.net/fix.php?id=62789&r=needtrace Need Reproduce Script: https://bugs.php.net/fix.php?id=62789&r=needscript Try newer version: https://bugs.php.net/fix.php?id=62789&r=oldversion Not developer issue: https://bugs.php.net/fix.php?id=62789&r=support Expected behavior: https://bugs.php.net/fix.php?id=62789&r=notwrong Not enough info: https://bugs.php.net/fix.php?id=62789&r=notenoughinfo Submitted twice: https://bugs.php.net/fix.php?id=62789&r=submittedtwice register_globals: https://bugs.php.net/fix.php?id=62789&r=globals PHP 4 support discontinued: https://bugs.php.net/fix.php?id=62789&r=php4 Daylight Savings:https://bugs.php.net/fix.php?id=62789&r=dst IIS Stability: https://bugs.php.net/fix.php?id=62789&r=isapi Install GNU Sed: https://bugs.php.net/fix.php?id=62789&r=gnused Floating point limitations: https://bugs.php.net/fix.php?id=62789&r=float No Zend Extensions: https://bugs.php.net/fix.php?id=62789&r=nozend MySQL Configuration Error: https://bugs.php.net/fix.php?id=62789&r=mysqlcfg
[PHP-BUG] Bug #60640 [NEW]: Invalid return values
From: Operating system: PHP version: 5.4.0RC4 Package: Session related Bug Type: Bug Bug description:Invalid return values Description: According to the documentation at http://www.php.net/manual/en/class.sessionhandler.php the various methods return 0 for success and 1 for failure which is kind of backwards since 0 would normally be evaluated as false and 1 as true. This is in direct contradiction with the current expected behaviour of session_set_save_handler() http://www.php.net/manual/en/function.session-set-save-handler.php which expects true or false return values except for the read handler which should always return a string. What's the deal here? I think the return values really should be true and false for this class, as expected by session_set_save_handler() Expected result: I would expect the methods of SessionHandler class to return back true or false for all methods except read() which should return a string, as expected by the session_set_save_handler() -- Edit bug report at https://bugs.php.net/bug.php?id=60640&edit=1 -- Try a snapshot (PHP 5.4): https://bugs.php.net/fix.php?id=60640&r=trysnapshot54 Try a snapshot (PHP 5.3): https://bugs.php.net/fix.php?id=60640&r=trysnapshot53 Try a snapshot (trunk): https://bugs.php.net/fix.php?id=60640&r=trysnapshottrunk Fixed in SVN: https://bugs.php.net/fix.php?id=60640&r=fixed Fixed in SVN and need be documented: https://bugs.php.net/fix.php?id=60640&r=needdocs Fixed in release: https://bugs.php.net/fix.php?id=60640&r=alreadyfixed Need backtrace: https://bugs.php.net/fix.php?id=60640&r=needtrace Need Reproduce Script: https://bugs.php.net/fix.php?id=60640&r=needscript Try newer version: https://bugs.php.net/fix.php?id=60640&r=oldversion Not developer issue: https://bugs.php.net/fix.php?id=60640&r=support Expected behavior: https://bugs.php.net/fix.php?id=60640&r=notwrong Not enough info: https://bugs.php.net/fix.php?id=60640&r=notenoughinfo Submitted twice: https://bugs.php.net/fix.php?id=60640&r=submittedtwice register_globals: https://bugs.php.net/fix.php?id=60640&r=globals PHP 4 support discontinued: https://bugs.php.net/fix.php?id=60640&r=php4 Daylight Savings:https://bugs.php.net/fix.php?id=60640&r=dst IIS Stability: https://bugs.php.net/fix.php?id=60640&r=isapi Install GNU Sed: https://bugs.php.net/fix.php?id=60640&r=gnused Floating point limitations: https://bugs.php.net/fix.php?id=60640&r=float No Zend Extensions: https://bugs.php.net/fix.php?id=60640&r=nozend MySQL Configuration Error: https://bugs.php.net/fix.php?id=60640&r=mysqlcfg