Bug #52428 [Com]: $this isn't immutable
Edit report at https://bugs.php.net/bug.php?id=52428&edit=1 ID: 52428 Comment by: stelian dot mocanita at gmail dot com Reported by:tyra3l at gmail dot com Summary:$this isn't immutable Status: Not a bug Type: Bug Package:Scripting Engine problem Operating System: all PHP Version:5.3.3 Block user comment: N Private report: N New Comment: I strongly disagree with this not being a bug. I came across some old code where I had $this->object out of a class context and it took me a lot of hours to track and still did not get to the bottom of it. More than that, this is lacking consistency. It can't allow me to assign a value to $this using globals / variable variables and not allow me to assign it a value otherwise. As far as I see it it's either: $this can be overwritten by any assignation method in php or it can't be overwritten at all. Allowing people to shoot themselves is a bad practice and it leads to shooting someone. Thank you, Stelian Previous Comments: [2010-07-26 11:30:33] tyra3l at gmail dot com There was some reason for this check to be placed. My problem with this behaviour that the $bar = 'baz'; should work the same as $foo='bar';$$foo = 'baz'; and same for the $foo vs $GLOBALS['foo'] Tyrael [2010-07-26 11:20:33] degeb...@php.net @dagdamor10: This has nothing to do with exploits at all. It poses no security risk being able to modify the $this variable by circumventing the simple check that is implemented. [2010-07-26 10:51:25] tyra3l at gmail dot com "what about abolishing everything related to safe_mode" safe_mode has been DEPRECATED as of PHP 5.3.0. and will be removed with the next major php version. Tyrael [2010-07-26 10:32:24] dagdamor10 at mail dot ru >> If you want you can shoot yourself in your head. Okay, that was plain rude. PHP *should* protect websites from possible exploits, what about abolishing everything related to safe_mode, allowed paths and such? To make a good site, people need good programming language... and good programming language should be accurate in range-checking, resource-protecting etc, instead of leaving all that to every programmer who decide to use it. [2010-07-25 18:50:52] tyra3l at gmail dot com Thanks for the clarification. Did I something wrong in the report, or you just copypasted the "Thank you for taking the time to write to us..." part of your comment? Maybe it would be a good thing to add this conclusion to the documentation (reassigning this isn't allowed, because ..., if you try it, it will give you an error "Cannot re-assign this..." [if you really need this, you can do...]) Tyrael The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=52428 -- Edit this bug report at https://bugs.php.net/bug.php?id=52428&edit=1
Bug #52428 [Com]: $this isn't immutable
Edit report at http://bugs.php.net/bug.php?id=52428&edit=1 ID: 52428 Comment by: tyra3l at gmail dot com Reported by:tyra3l at gmail dot com Summary:$this isn't immutable Status: Bogus Type: Bug Package:Scripting Engine problem Operating System: all PHP Version:5.3.3 Block user comment: N New Comment: There was some reason for this check to be placed. My problem with this behaviour that the $bar = 'baz'; should work the same as $foo='bar';$$foo = 'baz'; and same for the $foo vs $GLOBALS['foo'] Tyrael Previous Comments: [2010-07-26 11:20:33] degeb...@php.net @dagdamor10: This has nothing to do with exploits at all. It poses no security risk being able to modify the $this variable by circumventing the simple check that is implemented. [2010-07-26 10:51:25] tyra3l at gmail dot com "what about abolishing everything related to safe_mode" safe_mode has been DEPRECATED as of PHP 5.3.0. and will be removed with the next major php version. Tyrael [2010-07-26 10:32:24] dagdamor10 at mail dot ru >> If you want you can shoot yourself in your head. Okay, that was plain rude. PHP *should* protect websites from possible exploits, what about abolishing everything related to safe_mode, allowed paths and such? To make a good site, people need good programming language... and good programming language should be accurate in range-checking, resource-protecting etc, instead of leaving all that to every programmer who decide to use it. [2010-07-25 18:50:52] tyra3l at gmail dot com Thanks for the clarification. Did I something wrong in the report, or you just copypasted the "Thank you for taking the time to write to us..." part of your comment? Maybe it would be a good thing to add this conclusion to the documentation (reassigning this isn't allowed, because ..., if you try it, it will give you an error "Cannot re-assign this..." [if you really need this, you can do...]) Tyrael [2010-07-25 18:39:17] johan...@php.net Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://www.php.net/manual/ and the instructions on how to report a bug at http://bugs.php.net/how-to-report.php We prevent from mistakes, we don't prevent people from hurting them purposely. If you want you can shoot yourself in your head. The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/bug.php?id=52428 -- Edit this bug report at http://bugs.php.net/bug.php?id=52428&edit=1
Bug #52428 [Com]: $this isn't immutable
Edit report at http://bugs.php.net/bug.php?id=52428&edit=1 ID: 52428 Comment by: tyra3l at gmail dot com Reported by:tyra3l at gmail dot com Summary:$this isn't immutable Status: Bogus Type: Bug Package:Scripting Engine problem Operating System: all PHP Version:5.3.3 Block user comment: N New Comment: "what about abolishing everything related to safe_mode" safe_mode has been DEPRECATED as of PHP 5.3.0. and will be removed with the next major php version. Tyrael Previous Comments: [2010-07-26 10:32:24] dagdamor10 at mail dot ru >> If you want you can shoot yourself in your head. Okay, that was plain rude. PHP *should* protect websites from possible exploits, what about abolishing everything related to safe_mode, allowed paths and such? To make a good site, people need good programming language... and good programming language should be accurate in range-checking, resource-protecting etc, instead of leaving all that to every programmer who decide to use it. [2010-07-25 18:50:52] tyra3l at gmail dot com Thanks for the clarification. Did I something wrong in the report, or you just copypasted the "Thank you for taking the time to write to us..." part of your comment? Maybe it would be a good thing to add this conclusion to the documentation (reassigning this isn't allowed, because ..., if you try it, it will give you an error "Cannot re-assign this..." [if you really need this, you can do...]) Tyrael [2010-07-25 18:39:17] johan...@php.net Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://www.php.net/manual/ and the instructions on how to report a bug at http://bugs.php.net/how-to-report.php We prevent from mistakes, we don't prevent people from hurting them purposely. If you want you can shoot yourself in your head. [2010-07-24 11:36:17] tyra3l at gmail dot com Description: As some closed bug-reports and the "PHP Fatal error: Cannot re-assign $this" states, the $this should be read-only/inmutable in PHP5. but with some tricks(variable variables mostly), you can walk-around this constraint. See the Test script. I don't know the importance of this restriction, and with reflection you can shoot you in the leg anyway, so maybe this can be left as is. Test script: --- foo = 'bar'; //$this = $var; // PHP Fatal error: Cannot re-assign $this $GLOBALS['this'] = $var; var_dump($this); $var->foo = 'baz'; $foo = 'this'; $$foo = $var; var_dump($this); foo($this); function foo($this){ //global $this; // PHP Fatal error: Cannot re-assign $this // $this = $GLOBALS['var']; // PHP Fatal error: Cannot re-assign $this var_dump($this); $GLOBALS['this']->foo = 'baw'; $$GLOBALS['foo'] = $GLOBALS['this']; var_dump($this); } Expected result: PHP Fatal error: Cannot re-assign $this for every attempt to overwrite $this Actual result: -- you can set $this in the global scope through $GLOBALS, with argument in functions, and with variable variables in everywhere. -- Edit this bug report at http://bugs.php.net/bug.php?id=52428&edit=1
Bug #52428 [Com]: $this isn't immutable
Edit report at http://bugs.php.net/bug.php?id=52428&edit=1 ID: 52428 Comment by: dagdamor10 at mail dot ru Reported by:tyra3l at gmail dot com Summary:$this isn't immutable Status: Bogus Type: Bug Package:Scripting Engine problem Operating System: all PHP Version:5.3.3 Block user comment: N New Comment: >> If you want you can shoot yourself in your head. Okay, that was plain rude. PHP *should* protect websites from possible exploits, what about abolishing everything related to safe_mode, allowed paths and such? To make a good site, people need good programming language... and good programming language should be accurate in range-checking, resource-protecting etc, instead of leaving all that to every programmer who decide to use it. Previous Comments: [2010-07-25 18:50:52] tyra3l at gmail dot com Thanks for the clarification. Did I something wrong in the report, or you just copypasted the "Thank you for taking the time to write to us..." part of your comment? Maybe it would be a good thing to add this conclusion to the documentation (reassigning this isn't allowed, because ..., if you try it, it will give you an error "Cannot re-assign this..." [if you really need this, you can do...]) Tyrael [2010-07-25 18:39:17] johan...@php.net Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://www.php.net/manual/ and the instructions on how to report a bug at http://bugs.php.net/how-to-report.php We prevent from mistakes, we don't prevent people from hurting them purposely. If you want you can shoot yourself in your head. [2010-07-24 11:36:17] tyra3l at gmail dot com Description: As some closed bug-reports and the "PHP Fatal error: Cannot re-assign $this" states, the $this should be read-only/inmutable in PHP5. but with some tricks(variable variables mostly), you can walk-around this constraint. See the Test script. I don't know the importance of this restriction, and with reflection you can shoot you in the leg anyway, so maybe this can be left as is. Test script: --- foo = 'bar'; //$this = $var; // PHP Fatal error: Cannot re-assign $this $GLOBALS['this'] = $var; var_dump($this); $var->foo = 'baz'; $foo = 'this'; $$foo = $var; var_dump($this); foo($this); function foo($this){ //global $this; // PHP Fatal error: Cannot re-assign $this // $this = $GLOBALS['var']; // PHP Fatal error: Cannot re-assign $this var_dump($this); $GLOBALS['this']->foo = 'baw'; $$GLOBALS['foo'] = $GLOBALS['this']; var_dump($this); } Expected result: PHP Fatal error: Cannot re-assign $this for every attempt to overwrite $this Actual result: -- you can set $this in the global scope through $GLOBALS, with argument in functions, and with variable variables in everywhere. -- Edit this bug report at http://bugs.php.net/bug.php?id=52428&edit=1