php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #27504 call_user_func_array allows calling of private/protected methods
Submitted: 2004-03-05 03:21 UTC Modified: 2004-03-14 12:53 UTC
Votes:2
Avg. Score:3.5 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:1 (50.0%)
From: redeye at erisx dot de Assigned: andi (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: 5CVS-2004-03-05 OS: *
Private report: No CVE-ID: None
 [2004-03-05 03:21 UTC] redeye at erisx dot de
Description:
------------
Using call_user_func_array you are able to call a private or protected method of any object. I think this should not be allowed as it will lead to bad programming style as you could use this bug to access methods which should be hidden.

Reproduce code:
---------------
<?php

    class foo {
        function __construct () {
            $this->bar('1');
        }
        private function bar ( $param ) {
            echo 'Called function foo:bar('.$param.');<br>';
        }
    }

    $foo = new foo();

    call_user_func_array( array( $foo , 'bar' ) , array( '2' ) );

    $foo->bar('3');

?>

Expected result:
----------------
Called function foo:bar(1);

Fatal error: Call to private method foo::bar() from context '' in /www/htdocs/bug.php on line 14

Actual result:
--------------
Called function foo:bar(1);
Called function foo:bar(2);

Fatal error: Call to private method foo::bar() from context '' in /www/htdocs/bug.php on line 17

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-03-05 03:37 UTC] derick@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php5-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5-win32-latest.zip
 [2004-03-05 07:00 UTC] redeye at erisx dot de
Still the same results ( using the latest snapshot )
 [2004-03-05 07:06 UTC] derick@php.net
Andi, worth fixing this? :)
 [2004-03-14 12:53 UTC] andi@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Nov 23 07:01:29 2024 UTC