From:
Operating system: Mac OS X
PHP version: 5.3.6
Package: Class/Object related
Bug Type: Bug
Bug description:Static private and static protected properties have a backdoor.
Description:
------------
I use a static private property in one of my classes, so objects in that
class can track data, while keeping it away from other parts of the script.
However, I found you can exploit a backdoor to reach the property from
places that should be outside the property's visibility, by using variable
variables. Upon further testing, I found the same backdoor exists for
static protected properties. Using this backdoor, you can get or set the
property's value.
Non-static properties seem to be unaffected by this bug.
It doesn't seem particularly dangerous, but I thought I'd report it just
the same.
Test script:
---------------
<?php class exampleclass {
private static $staticprivate = "test #0";
protected static $staticprotected = "test #1";
private $private = "test #2";
protected $protected = "test #3"; }
$test0 = "\0exampleclass\0staticprivate";
$test1 = "\0*\0staticprotected";
$test2 = "\0exampleclass\0private";
$test3 = "\0*\0protected";
$object = new exampleclass;
echo exampleclass::$$test0;//test #0
echo exampleclass::$$test1;//test #1
echo $object->$test2;//<b>Fatal error</b>: Cannot access property started
with '\0' in ...
echo $object->$test3;//<b>Fatal error</b>: Cannot access property started
with '\0' in ...
echo $object->{"\0*\0private"};//<b>Fatal error</b>: Cannot access
property started with '\0' in ...
echo $object->{"\0*\0protected"};//<b>Fatal error</b>: Cannot access
property started with '\0' in ...
Expected result:
----------------
All six echo()s should cause a fatal error.
Actual result:
--------------
Only the last four echo()s cause a fatal error.
--
Edit bug report at https://bugs.php.net/bug.php?id=55449&edit=1
--
Try a snapshot (PHP 5.4):
https://bugs.php.net/fix.php?id=55449&r=trysnapshot54
Try a snapshot (PHP 5.3):
https://bugs.php.net/fix.php?id=55449&r=trysnapshot53
Try a snapshot (trunk):
https://bugs.php.net/fix.php?id=55449&r=trysnapshottrunk
Fixed in SVN:
https://bugs.php.net/fix.php?id=55449&r=fixed
Fixed in SVN and need be documented:
https://bugs.php.net/fix.php?id=55449&r=needdocs
Fixed in release:
https://bugs.php.net/fix.php?id=55449&r=alreadyfixed
Need backtrace:
https://bugs.php.net/fix.php?id=55449&r=needtrace
Need Reproduce Script:
https://bugs.php.net/fix.php?id=55449&r=needscript
Try newer version:
https://bugs.php.net/fix.php?id=55449&r=oldversion
Not developer issue:
https://bugs.php.net/fix.php?id=55449&r=support
Expected behavior:
https://bugs.php.net/fix.php?id=55449&r=notwrong
Not enough info:
https://bugs.php.net/fix.php?id=55449&r=notenoughinfo
Submitted twice:
https://bugs.php.net/fix.php?id=55449&r=submittedtwice
register_globals:
https://bugs.php.net/fix.php?id=55449&r=globals
PHP 4 support discontinued:
https://bugs.php.net/fix.php?id=55449&r=php4
Daylight Savings: https://bugs.php.net/fix.php?id=55449&r=dst
IIS Stability:
https://bugs.php.net/fix.php?id=55449&r=isapi
Install GNU Sed:
https://bugs.php.net/fix.php?id=55449&r=gnused
Floating point limitations:
https://bugs.php.net/fix.php?id=55449&r=float
No Zend Extensions:
https://bugs.php.net/fix.php?id=55449&r=nozend
MySQL Configuration Error:
https://bugs.php.net/fix.php?id=55449&r=mysqlcfg
