Edit report at https://bugs.php.net/bug.php?id=55475&edit=1
ID: 55475 Comment by: counterpoint at aliro dot org Reported by: mads at gartneriet dot dk Summary: is_a() triggers autoloader Status: Closed Type: Bug Package: Scripting Engine problem PHP Version: 5.3.7 Assigned To: dmitry Block user comment: N Private report: N CVE-ID: 2011-3379 New Comment: It's worrying that something that appears to have been accidentally introduced is then justified as how things should work. Little attention seems to be paid to how people may have been using the mechanism that has changed. The whole thrust in this area was for is_a to test something that is supposed to be an instance. Indeed, the at one time intended replacement for is_a is called "instanceof" and a string is not an instance of anything. Changing an operation called "instanceof" to accept a class name ahead of the operator would seem perverse in the extreme. Clearly the altered behavior of is_a may break any autoloader that assumes that it will only ever receive strings that can be assumed to be class names. In particular, consider the common case where a set of class names can be mapped to a set of file names: in this situation, it is not unreasonable for the autoloader to terminate immediately if it receives a class name that contains ".." because this is very likely a hack attempt. Previous Comments: ------------------------------------------------------------------------ [2011-11-09 05:27:49] s...@php.net This bug has been fixed in SVN. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. For Windows: http://windows.php.net/snapshots/ Thank you for the report, and for helping us make PHP better. ------------------------------------------------------------------------ [2011-11-09 05:27:38] s...@php.net Automatic comment from SVN on behalf of stas Revision: http://svn.php.net/viewvc/?view=revision&revision=318938 Log: fix bug #55475 - implement is_a BC solution ------------------------------------------------------------------------ [2011-11-08 09:24:24] ala...@php.net The following patch has been added/updated: Patch Name: final_patch_for_5_4_and_HEAD_v2 Revision: 1320744263 URL: https://bugs.php.net/patch-display.php?bug=55475&patch=final_patch_for_5_4_and_HEAD_v2&revision=1320744263 ------------------------------------------------------------------------ [2011-10-13 07:36:59] ala...@php.net The following patch has been added/updated: Patch Name: final_patch_for_5_4_and_HEAD Revision: 1318491419 URL: https://bugs.php.net/patch-display.php?bug=55475&patch=final_patch_for_5_4_and_HEAD&revision=1318491419 ------------------------------------------------------------------------ [2011-10-03 07:30:43] ala...@php.net Any comments on 5.4.* It seems like applying the 5.3 fix to 5.4 is the only option here, as there is no 'reasonable' way to flag the previous behavior as E_DEPRECIATED that works well as both forward and backward compatible. ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=55475 -- Edit this bug report at https://bugs.php.net/bug.php?id=55475&edit=1
