Bug #62789 [Com]: Autoloaders are invoked with invalid class names
Edit report at https://bugs.php.net/bug.php?id=62789edit=1 ID: 62789 Comment by: le...@php.net Reported by:drak at zikula dot org Summary:Autoloaders are invoked with invalid class names Status: Open Type: Bug Package:SPL related PHP Version:5.3.15 Block user comment: N Private report: N New Comment: I suggest not creating a class from arbitrary strings you pick up from the internet . . . Previous Comments: [2012-08-10 07:27:50] victor dot berchet at sensiolabs dot com As indicated in the blog post linked in the issue report, a few functions are affected (ie they can trigger the autoload function with an invalid class name): - class_exists() - interface_exists() - class_parents() - class_implements() - is_subclass_of() [2012-08-09 20:04:23] drak at zikula dot org Description: It is possible to invoke class autoloaders with invalid class names leading to potential security issues. Classes can contain alphaumeric, underscore and backslash characters. However, code like: $foo = new $class where $class might contain any arbitrary string will cause the autoloader stack to be called even if the $class variable contained invalid characters for a class name. This could lead to various file inclusion issues as detailed in http://drak3.devmx.de/blog/2012/08/08/autoloaded-remote-file-inclusion/ However, it is not reasonable for classloaders to validate the class name passed to it via PHP for valid classname characters. Doing so would be an incredible burden on performance ever increasing with the size of the autoloader stack. I suggest that PHP validate the characters of the class before deciding to call the autoloader stack or not. -- Edit this bug report at https://bugs.php.net/bug.php?id=62789edit=1
Bug #62789 [Com]: Autoloaders are invoked with invalid class names
Edit report at https://bugs.php.net/bug.php?id=62789edit=1 ID: 62789 Comment by: victor dot berchet at sensiolabs dot com Reported by:drak at zikula dot org Summary:Autoloaders are invoked with invalid class names Status: Open Type: Bug Package:SPL related PHP Version:5.3.15 Block user comment: N Private report: N New Comment: As indicated in the blog post linked in the issue report, a few functions are affected (ie they can trigger the autoload function with an invalid class name): - class_exists() - interface_exists() - class_parents() - class_implements() - is_subclass_of() Previous Comments: [2012-08-09 20:04:23] drak at zikula dot org Description: It is possible to invoke class autoloaders with invalid class names leading to potential security issues. Classes can contain alphaumeric, underscore and backslash characters. However, code like: $foo = new $class where $class might contain any arbitrary string will cause the autoloader stack to be called even if the $class variable contained invalid characters for a class name. This could lead to various file inclusion issues as detailed in http://drak3.devmx.de/blog/2012/08/08/autoloaded-remote-file-inclusion/ However, it is not reasonable for classloaders to validate the class name passed to it via PHP for valid classname characters. Doing so would be an incredible burden on performance ever increasing with the size of the autoloader stack. I suggest that PHP validate the characters of the class before deciding to call the autoloader stack or not. -- Edit this bug report at https://bugs.php.net/bug.php?id=62789edit=1