Bug #55449 [Opn->Bgs]: Static private and static protected properties have a backdoor.

Thu, 18 Aug 2011 07:42:09 -0700 

Edit report at https://bugs.php.net/bug.php?id=55449&edit=1

 ID:                 55449
 Updated by:         johan...@php.net
 Reported by:        0gb dot us at 0gb dot us
 Summary:            Static private and static protected properties have
                     a backdoor.
-Status:             Open
+Status:             Bogus
 Type:               Bug
 Package:            Class/Object related
 Operating System:   Mac OS X
 PHP Version:        5.3.6
 Block user comment: N
 Private report:     N

 New Comment:

Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

If one shoots oneself in the foot that's ok. If people really want to bypass 
such checks we don't prevent them. They aren't a security thing or something 
but a help to structure and isolate code. For reading out there are things like 
var_dump() which give access to them, too.


Previous Comments:
------------------------------------------------------------------------
[2011-08-18 14:16:12] 0gb dot us at 0gb dot us

Description:
------------
I use a static private property in one of my classes, so objects in that class 
can track data, while keeping it away from other parts of the script. However, 
I found you can exploit a backdoor to reach the property from places that 
should be outside the property's visibility, by using variable variables. Upon 
further testing, I found the same backdoor exists for static protected 
properties. Using this backdoor, you can get or set the property's value.

Non-static properties seem to be unaffected by this bug.

It doesn't seem particularly dangerous, but I thought I'd report it just the 
same.

Test script:
---------------
<?php class exampleclass {
private static $staticprivate = "test #0";
protected static $staticprotected = "test #1";
private $private = "test #2";
protected $protected = "test #3"; }

$test0 = "\0exampleclass\0staticprivate";
$test1 = "\0*\0staticprotected";
$test2 = "\0exampleclass\0private";
$test3 = "\0*\0protected";

$object = new exampleclass;

echo exampleclass::$$test0;//test #0
echo exampleclass::$$test1;//test #1
echo $object->$test2;//<b>Fatal error</b>:  Cannot access property started with 
'\0' in ...
echo $object->$test3;//<b>Fatal error</b>:  Cannot access property started with 
'\0' in ...

echo $object->{"\0*\0private"};//<b>Fatal error</b>:  Cannot access property 
started with '\0' in ...
echo $object->{"\0*\0protected"};//<b>Fatal error</b>:  Cannot access property 
started with '\0' in ...

Expected result:
----------------
All six echo()s should cause a fatal error.

Actual result:
--------------
Only the last four echo()s cause a fatal error.


------------------------------------------------------------------------



-- 
Edit this bug report at https://bugs.php.net/bug.php?id=55449&edit=1

Reply via email to