|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2019-12-07 06:57 UTC] theilig at box dot com
Description:
------------
If a class tries to use reflection to read a property of a second class, and that second class has a property or a const that is initialized by a const reference to a third class, The scope for visibility of properties is incorrect, The third class will not be able to access it's own private static properties, but instead will have access to private static properties of a different class! See the example code for more info.
OtherClass::$test isn't as private as it thinks!
Fatal error: Uncaught Error: Cannot access private property PrivateStatic::$privateStaticVarArray in /Users/theilig/code/PhpBug/PrivateStatic.php on line 9
Error: Cannot access private property PrivateStatic::$privateStaticVarArray in /Users/theilig/code/PhpBug/PrivateStatic.php on line 9
Call Stack:
0.0004 395896 1. {main}() /Users/theilig/code/PhpBug/ThirdClass.php:0
0.0010 398848 2. ReflectionProperty->getValue() /Users/theilig/code/PhpBug/ThirdClass.php:9
0.0010 398968 3. spl_autoload_call() /Users/theilig/code/PhpBug/ThirdClass.php:9
0.0010 399008 4. {closure:/Users/theilig/code/PhpBug/ThirdClass.php:2-4}() /Users/theilig/code/PhpBug/ThirdClass.php:9
0.0011 402480 5. include('/Users/theilig/code/PhpBug/PrivateStatic.php') /Users/theilig/code/PhpBug/ThirdClass.php:3
0.0011 402480 6. PrivateStatic::init() /Users/theilig/code/PhpBug/PrivateStatic.php:12
You can see from the stack that the current function is PrivateStatic::init() which should be able to access private static variables in the PrivateStatic class, but instead was able to read OtherClass::$test which is private.
The code works correctly if either
1) The third class (PrivateStatic in the example) is forcefully loaded before the reflection call "class_exists('PrivateStatic');
or
2) The field in the second class is public, and is referenced directly rather than via Reflection.
What I've seen via xdebug is that in php 7.1.29
$reflectionClass = new ReflectionClass('OtherClass');
will trigger the loading of PrivateStatic (and everything works correctly)
However in php 7.3.12
$reflectionClass = new ReflectionClass('OtherClass');
will only load OtherClass, and PrivateStatic isn't loaded until
$value = $reflectionProperty->getValue();
When the getValue call triggers the loading of PrivateStatic (and the running of the top level call to PrivateStatic::init() ) then it appears to be picking up the scope of OtherClass
Test script:
---------------
https://github.com/theilig/PhpBug
% php ThirdClass.php
Expected result:
----------------
Expected result is:
PHP Fatal error: Uncaught Error: Cannot access private property OtherClass::$test in /Users/theilig/code/PhpBug/PrivateStatic.php:9
Actual result:
--------------
OtherClass::$testisn't as private as it thinks!
PHP Fatal error: Uncaught Error: Cannot access private property PrivateStatic::$privateStaticVarArray in /Users/theilig/code/PhpBug/PrivateStatic.php:10
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sun Nov 02 21:00:02 2025 UTC |
Single file: <?php spl_autoload_register(function($className) { if ($className == 'PrivateStatic') { class PrivateStatic { const SOME_CONST = 13; private static $privateStaticVarArray = ['a', 'b', 'c']; private static $otherStatic; public static function init() { self::$otherStatic = self::$privateStaticVarArray; } } PrivateStatic::init(); } }); class OtherClass { const MY_CONST = PrivateStatic::SOME_CONST; public static $prop = 'my property'; } //class_exists('PrivateStatic'); $reflectionClass = new ReflectionClass('OtherClass'); $reflectionProperty = $reflectionClass->getProperty('prop'); $reflectionProperty->setAccessible(true); $value = $reflectionProperty->getValue(); //$value = OtherClass::$prop; echo "Value is $value\n";