php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #55449 Static private and static protected properties have a backdoor.
Submitted: 2011-08-18 14:16 UTC Modified: 2011-08-18 14:51 UTC
From: 0gb dot us at 0gb dot us Assigned:
Status: Not a bug Package: Class/Object related
PHP Version: 5.3.6 OS: Mac OS X
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: 0gb dot us at 0gb dot us
New email:
PHP Version: OS:

 

 [2011-08-18 14:16 UTC] 0gb dot us at 0gb dot us 
Description:
------------
I use a static private property in one of my classes, so objects in that class can track data, while keeping it away from other parts of the script. However, I found you can exploit a backdoor to reach the property from places that should be outside the property's visibility, by using variable variables. Upon further testing, I found the same backdoor exists for static protected properties. Using this backdoor, you can get or set the property's value.

Non-static properties seem to be unaffected by this bug.

It doesn't seem particularly dangerous, but I thought I'd report it just the same.

Test script:
---------------
<?php class exampleclass {
private static $staticprivate = "test #0";
protected static $staticprotected = "test #1";
private $private = "test #2";
protected $protected = "test #3"; }

$test0 = "\0exampleclass\0staticprivate";
$test1 = "\0*\0staticprotected";
$test2 = "\0exampleclass\0private";
$test3 = "\0*\0protected";

$object = new exampleclass;

echo exampleclass::$$test0;//test #0
echo exampleclass::$$test1;//test #1
echo $object->$test2;//<b>Fatal error</b>:  Cannot access property started with '\0' in ...
echo $object->$test3;//<b>Fatal error</b>:  Cannot access property started with '\0' in ...

echo $object->{"\0*\0private"};//<b>Fatal error</b>:  Cannot access property started with '\0' in ...
echo $object->{"\0*\0protected"};//<b>Fatal error</b>:  Cannot access property started with '\0' in ...

Expected result:
----------------
All six echo()s should cause a fatal error.

Actual result:
--------------
Only the last four echo()s cause a fatal error.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-08-18 14:41 UTC] johannes@php.net
-Status: Open +Status: Bogus
 [2011-08-18 14:41 UTC] johannes@php.net 
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

If one shoots oneself in the foot that's ok. If people really want to bypass such checks we don't prevent them. They aren't a security thing or something but a help to structure and isolate code. For reading out there are things like var_dump() which give access to them, too.
 [2011-08-18 14:47 UTC] 0gb dot us at 0gb dot us 
I just realized a smaller script would have gotten the point across better. Sorry.

<?php class exampleclass {
private static $staticprivate = "test #0";
protected static $staticprotected = "test #1"; }

$test0 = "\0exampleclass\0staticprivate";
$test1 = "\0*\0staticprotected";

echo exampleclass::$$test0;//test #0
echo exampleclass::$$test1;//test #1
 [2011-08-18 14:51 UTC] 0gb dot us at 0gb dot us 
Opps, I posted that note before I saw your response. You were quick! Thanks for the information, and have a nice day.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri Nov 21 19:00:01 2025 UTC