php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #53932 is_callable invoke autoloading unnecessarilly
Submitted: 2011-02-04 22:44 UTC Modified: 2011-02-05 22:56 UTC
From: rubs33 at gmail dot com Assigned:
Status: Not a bug Package: Reproducible crash
PHP Version: 5.3.5 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: rubs33 at gmail dot com
New email:
PHP Version: OS:

 

 [2011-02-04 22:44 UTC] rubs33 at gmail dot com 
Description:
------------
The PHP core function "is_callable" invokes the autoloading when receives a string callback that has "::", even when the class has not a valid name.

It could be smarter invoking autoloading only when the class name is a valid class name, as described by the expression [a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]* from documentation (http://www.php.net/manual/en/language.oop5.basic.php). It should check whether a namespace was used too.

Often, is_callable function is not invoked in a try/catch context. So, in many cases, it could crash PHP execution. For example, in a dispatcher implementation that receives a controller class and an action (method) by user, create a callback and test it with is_callable.

Test script:
---------------
<?php

function __autoload($class) { 
    printf("Required class: '%s'\n", $class);
    throw new Exception('Error');
}

var_dump(is_callable('invalid name::method'));

Expected result:
----------------
bool(false)

Actual result:
--------------
Required class: 'invalid name'
PHP Fatal error:  Uncaught exception 'Exception' with message 'Error' in %s:5

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-02-05 03:56 UTC] cataphract@php.net
-Status: Open +Status: Bogus
 [2011-02-05 03:56 UTC] cataphract@php.net 
1. A fatal error is not a crash.
2. What constitutes an acceptable class name is, in practice, more ample than what's in the manual, though there are no guarantees it will work in the future.
3. You don't have to throw exceptions from __autoload; in fact, if you did, you were unable to catch them prior to 5.3.
4. Validate user input.
 [2011-02-05 22:56 UTC] rubs33 at gmail dot com 
ok
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Apr 20 12:01:28 2024 UTC