php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #35806 Enable/Disable debug functions from accessing protected/private elements
Submitted: 2005-12-26 15:40 UTC Modified: 2005-12-27 21:51 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: mega-squall at caramail dot com Assigned:
Status: Wont fix Package: Feature/Change Request
PHP Version: 5.1.1 OS: *
Private report: No CVE-ID: None
View Add Comment Developer Edit
Have you experienced this issue?
Rate the importance of this bug to you:

 [2005-12-26 15:40 UTC] mega-squall at caramail dot com 
Description:
------------
Debug functions (print_r(), var_export()) may access protected/private elements of objects for debugging puposes, but such a behavior might be a security hole for some scripts on production status.

I suggest to add a configuration property which may enable or disable such functions from acessing private/protected elements, for instance in the php.ini ...

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-12-26 21:19 UTC] derick@php.net 
Those debugging functions should not be used in production at all... they are debugging features. And if they cause security problems you're definitely doing something very wrong...
 [2005-12-27 21:51 UTC] mega-squall at caramail dot com 
I was thinking of a customizable portal for instance. It would allow some users (devlopers of the actual portal) to add/edit/delete pages or modules. When the portal is quite large, there would be many devs. Some may not have access to all parts of the site administration. But what if a verous dev wrote an hidden page with a print_r ($db->password); ?

Is such a project beyond the aim of PHP ?
 [2005-12-27 21:51 UTC] mega-squall at caramail dot com 
I was thinking of a customizable portal for instance. It would allow some users (devlopers of the actual portal) to add/edit/delete pages or modules. When the portal is quite large, there would be many devs. Some may not have access to all parts of the site administration. But what if a verous dev wrote an hidden page with a print_r ($db->password); ?

Is such a project beyond the aim of PHP ?
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sun May 19 12:01:30 2024 UTC