php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Doc Bug #42744 __autoload description does not state the class name can be any string
Submitted: 2007-09-24 09:32 UTC Modified: 2007-11-21 15:39 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: pstradomski at gmail dot com Assigned:
Status: Closed Package: Documentation problem
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2007-09-24 09:32 UTC] pstradomski at gmail dot com 
Description:
------------
When a class is required because of a callback through call_user_func etc. no validation on the class name is performed. This can lead to a problem when the name is specially crafted.

One could expect the code below to be quite safe - it checks for class existence and tests if the class is a subclass of expected base class - but nevertheless it leads to information leak.

The documentation should state that the parameter of __autoload does not neccessarily conform to the grammar of the class name.

Reproduce code:
---------------
<?php
/**
 * This is quite basic autoload function, similar to the one in documentation
 * at http://www.php.net/manual/en/language.oop5.autoload.php
 *
 * There is no mention there that it is possible for dangerous characters to
 * appear in the $class_name so it has to be handled with care.
 */
function __autoload($class_name) {
    echo "Autoloading $class_name\n";
    if (file_exists("classes/$class_name.php")) {
        require_once "classes/$class_name.php";
    } else {
         die("Autoloading $class_name failed\n");
    }

}


// somewhere in main program
$className = "../../../../../../../etc/passwd\0" . 'Controller';

$class = new ReflectionClass($className);

if ($class->isSubclassOf('Controller')) {
    call_user_func(array($className, 'handleRequest'));
}

?>

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-11-21 15:39 UTC] vrana@php.net 
This bug has been fixed in the documentation's XML sources. Since the
online and downloadable versions of the documentation need some time
to get updated, we would like to ask you to be a bit patient.

Thank you for the report, and for helping us make our documentation better.

"If the class name is used e.g. in call_user_func() then it can contain some dangerous characters such as ../. It is recommended to not use the user-input in such functions or at least verify the input in __autoload()."
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu May 16 03:01:33 2024 UTC