php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #55082 var_export() doesn't escape properties properly
Submitted: 2011-06-30 03:26 UTC Modified: 2011-06-30 05:27 UTC
From: jille at hexon dot cx Assigned: cataphract (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: 5.3.6 OS: n/a
Private report: No CVE-ID: None
 [2011-06-30 03:26 UTC] jille at hexon dot cx
Description:
------------
var_export() does escape arraykeys properly, but doesn't use the same code for escaping properties. This might lead to code injections (when user-input can be used for a propery name and the var_export()ed code is eval()ed).

This was fixed for arraykeys in #19929 and #25758

Test script:
---------------
<?php
  $x = new stdClass();
  $x->{'\' => 5)); echo "Hack.\n"; array(array(\''} = 5;
  var_export($x);
?>

Expected result:
----------------
stdClass::__set_state(array(
   '\' => 5)); echo "Hack.\n"; array(array(\'' => 5,
))

Note the backslashes.

Actual result:
--------------
stdClass::__set_state(array(
   '' => 5)); echo "Hack.\n"; array(array('' => 5,
))


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-06-30 05:26 UTC] cataphract@php.net
Automatic comment from SVN on behalf of cataphract
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=312661
Log: - Fixed bug #55082 (var_export() doesn't escape properties properly).
 [2011-06-30 05:27 UTC] cataphract@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: cataphract
 [2011-06-30 05:27 UTC] cataphract@php.net
Fixed in SVN for 5.3, 5.4 and trunk.

Thank you.
 [2012-04-18 09:50 UTC] laruence@php.net
Automatic comment on behalf of cataphract
Revision: http://git.php.net/?p=php-src.git;a=commit;h=86ff3bab2d329be319e618046753353d1afcf246
Log: - Fixed bug #55082 (var_export() doesn't escape properties properly).
 [2012-07-24 23:41 UTC] rasmus@php.net
Automatic comment on behalf of cataphract
Revision: http://git.php.net/?p=php-src.git;a=commit;h=86ff3bab2d329be319e618046753353d1afcf246
Log: - Fixed bug #55082 (var_export() doesn't escape properties properly).
 [2013-11-17 09:37 UTC] laruence@php.net
Automatic comment on behalf of cataphract
Revision: http://git.php.net/?p=php-src.git;a=commit;h=86ff3bab2d329be319e618046753353d1afcf246
Log: - Fixed bug #55082 (var_export() doesn't escape properties properly).
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 06:01:30 2024 UTC