php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #44031 vprint treats private object elements as array elements
Submitted: 2008-02-03 12:50 UTC Modified: 2020-12-21 22:02 UTC
Votes:7
Avg. Score:3.6 ± 0.9
Reproduced:5 of 6 (83.3%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: m dot beyer5 at gmx dot de Assigned: nikic (profile)
Status: Closed Package: *General Issues
PHP Version: 5.2.5 OS: Debian Linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: m dot beyer5 at gmx dot de
New email:
PHP Version: OS:

 

 [2008-02-03 12:50 UTC] m dot beyer5 at gmx dot de
Description:
------------
If an object is supplied instead of an array, v(s)printf takes the internal object elements as elements despite of its visibility.
This is not only quite annoying but could be a security issue as well.

Reproduce code:
---------------
class foo
{
    private $x = 1;
    private $y = 2;
    
}

$array = new foo;
vprintf('%s < %s',$array);

Expected result:
----------------
An E_WARNING should be triggered.
Alternatively, vprintf could take an object instantiating or extending ArrayObject and behave according to the objects functions.

Actual result:
--------------
vprintf prints:

1 < 2

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-05-17 18:28 UTC] cmb@php.net
-Package: Feature/Change Request +Package: *General Issues
 [2015-05-17 18:28 UTC] cmb@php.net
The behavior is not particularly related to vprinf(), but that is
rather how casting objects to arrays work in PHP, see
<http://3v4l.org/3R6QT>.
 [2016-02-21 12:40 UTC] nikic@php.net
-Type: Feature/Change Request +Type: Bug
 [2016-02-21 12:40 UTC] nikic@php.net
This is an artifact of vprintf not using zpp properly, it does manual argument handling instead and does it incorrectly.
 [2020-12-21 22:00 UTC] sji at sj-i dot dev
Cannot reproduce this on PHP 8.0.0 anymore.
https://3v4l.org/rXPtL
 [2020-12-21 22:02 UTC] nikic@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: nikic
 [2020-12-21 22:02 UTC] nikic@php.net
Closing per above comment.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 09:01:26 2024 UTC