php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #44854 access to a private/protected property should not be allowed
Submitted: 2008-04-28 13:40 UTC Modified: 2008-04-28 13:57 UTC
From: doctorrock83 at gmail dot com Assigned:
Status: Not a bug Package: Class/Object related
PHP Version: 5.2.5 OS: Windows XP
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: doctorrock83 at gmail dot com
New email:
PHP Version: OS:

 

 [2008-04-28 13:40 UTC] doctorrock83 at gmail dot com
Description:
------------
In some cases, PHP doesn't handle the visibility correctly, allowing a private or protected member to be directly accessed via $obj->prop

This seems to happen when a class stores instances of itself and tries to access their properties.

Reproduce code:
---------------
<?php
class bar
{
    private $a;    
    private $children = array();
    
    public function __construct($infiniteDepth)
    {
        $this->a = 'foo';
        if ($infiniteDepth) $this->children[] = new self(false);
    }
    
    public function privateAcces()
    {
        foreach ($this->children as $child) {
            echo $child->a; // here is the bug
        }
    }    
}

$t = new toto(true);
$t->privateAcces();

Expected result:
----------------
fatal error as we access the private 'a' property from a non-$this context

Actual result:
--------------
the property gets read correctly, as if it was public

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-04-28 13:57 UTC] derick@php.net
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

This is expected as access control is *class* based, and not object based.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu May 30 13:01:29 2024 UTC