From: Operating system: Mac OS X PHP version: 5.3.6 Package: Class/Object related Bug Type: Bug Bug description:Static private and static protected properties have a backdoor.
Description: ------------ I use a static private property in one of my classes, so objects in that class can track data, while keeping it away from other parts of the script. However, I found you can exploit a backdoor to reach the property from places that should be outside the property's visibility, by using variable variables. Upon further testing, I found the same backdoor exists for static protected properties. Using this backdoor, you can get or set the property's value. Non-static properties seem to be unaffected by this bug. It doesn't seem particularly dangerous, but I thought I'd report it just the same. Test script: --------------- <?php class exampleclass { private static $staticprivate = "test #0"; protected static $staticprotected = "test #1"; private $private = "test #2"; protected $protected = "test #3"; } $test0 = "\0exampleclass\0staticprivate"; $test1 = "\0*\0staticprotected"; $test2 = "\0exampleclass\0private"; $test3 = "\0*\0protected"; $object = new exampleclass; echo exampleclass::$$test0;//test #0 echo exampleclass::$$test1;//test #1 echo $object->$test2;//<b>Fatal error</b>: Cannot access property started with '\0' in ... echo $object->$test3;//<b>Fatal error</b>: Cannot access property started with '\0' in ... echo $object->{"\0*\0private"};//<b>Fatal error</b>: Cannot access property started with '\0' in ... echo $object->{"\0*\0protected"};//<b>Fatal error</b>: Cannot access property started with '\0' in ... Expected result: ---------------- All six echo()s should cause a fatal error. Actual result: -------------- Only the last four echo()s cause a fatal error. -- Edit bug report at https://bugs.php.net/bug.php?id=55449&edit=1 -- Try a snapshot (PHP 5.4): https://bugs.php.net/fix.php?id=55449&r=trysnapshot54 Try a snapshot (PHP 5.3): https://bugs.php.net/fix.php?id=55449&r=trysnapshot53 Try a snapshot (trunk): https://bugs.php.net/fix.php?id=55449&r=trysnapshottrunk Fixed in SVN: https://bugs.php.net/fix.php?id=55449&r=fixed Fixed in SVN and need be documented: https://bugs.php.net/fix.php?id=55449&r=needdocs Fixed in release: https://bugs.php.net/fix.php?id=55449&r=alreadyfixed Need backtrace: https://bugs.php.net/fix.php?id=55449&r=needtrace Need Reproduce Script: https://bugs.php.net/fix.php?id=55449&r=needscript Try newer version: https://bugs.php.net/fix.php?id=55449&r=oldversion Not developer issue: https://bugs.php.net/fix.php?id=55449&r=support Expected behavior: https://bugs.php.net/fix.php?id=55449&r=notwrong Not enough info: https://bugs.php.net/fix.php?id=55449&r=notenoughinfo Submitted twice: https://bugs.php.net/fix.php?id=55449&r=submittedtwice register_globals: https://bugs.php.net/fix.php?id=55449&r=globals PHP 4 support discontinued: https://bugs.php.net/fix.php?id=55449&r=php4 Daylight Savings: https://bugs.php.net/fix.php?id=55449&r=dst IIS Stability: https://bugs.php.net/fix.php?id=55449&r=isapi Install GNU Sed: https://bugs.php.net/fix.php?id=55449&r=gnused Floating point limitations: https://bugs.php.net/fix.php?id=55449&r=float No Zend Extensions: https://bugs.php.net/fix.php?id=55449&r=nozend MySQL Configuration Error: https://bugs.php.net/fix.php?id=55449&r=mysqlcfg