php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #55082 var_export() doesn't escape properties properly
Submitted: 2011-06-30 03:26 UTC Modified: 2011-06-30 05:27 UTC
From: jille at hexon dot cx Assigned: cataphract (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: 5.3.6 OS: n/a
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: jille at hexon dot cx
New email:
PHP Version: OS:

 

 [2011-06-30 03:26 UTC] jille at hexon dot cx 
Description:
------------
var_export() does escape arraykeys properly, but doesn't use the same code for escaping properties. This might lead to code injections (when user-input can be used for a propery name and the var_export()ed code is eval()ed).

This was fixed for arraykeys in #19929 and #25758

Test script:
---------------
<?php
  $x = new stdClass();
  $x->{'\' => 5)); echo "Hack.\n"; array(array(\''} = 5;
  var_export($x);
?>

Expected result:
----------------
stdClass::__set_state(array(
   '\' => 5)); echo "Hack.\n"; array(array(\'' => 5,
))

Note the backslashes.

Actual result:
--------------
stdClass::__set_state(array(
   '' => 5)); echo "Hack.\n"; array(array('' => 5,
))

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-06-30 05:26 UTC] cataphract@php.net 
Automatic comment from SVN on behalf of cataphract
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=312661
Log: - Fixed bug #55082 (var_export() doesn't escape properties properly).
 [2011-06-30 05:27 UTC] cataphract@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: cataphract
 [2011-06-30 05:27 UTC] cataphract@php.net 
Fixed in SVN for 5.3, 5.4 and trunk.

Thank you.
 [2012-04-18 09:50 UTC] laruence@php.net 
Automatic comment on behalf of cataphract
Revision: http://git.php.net/?p=php-src.git;a=commit;h=86ff3bab2d329be319e618046753353d1afcf246
Log: - Fixed bug #55082 (var_export() doesn't escape properties properly).
 [2012-07-24 23:41 UTC] rasmus@php.net 
Automatic comment on behalf of cataphract
Revision: http://git.php.net/?p=php-src.git;a=commit;h=86ff3bab2d329be319e618046753353d1afcf246
Log: - Fixed bug #55082 (var_export() doesn't escape properties properly).
 [2013-11-17 09:37 UTC] laruence@php.net 
Automatic comment on behalf of cataphract
Revision: http://git.php.net/?p=php-src.git;a=commit;h=86ff3bab2d329be319e618046753353d1afcf246
Log: - Fixed bug #55082 (var_export() doesn't escape properties properly).
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 12:01:29 2024 UTC