php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #55449 Static private and static protected properties have a backdoor.
Submitted: 2011-08-18 14:16 UTC Modified: 2011-08-18 14:51 UTC
From: 0gb dot us at 0gb dot us Assigned:
Status: Not a bug Package: Class/Object related
PHP Version: 5.3.6 OS: Mac OS X
Private report: No CVE-ID: None
 [2011-08-18 14:16 UTC] 0gb dot us at 0gb dot us
Description:
------------
I use a static private property in one of my classes, so objects in that class can track data, while keeping it away from other parts of the script. However, I found you can exploit a backdoor to reach the property from places that should be outside the property's visibility, by using variable variables. Upon further testing, I found the same backdoor exists for static protected properties. Using this backdoor, you can get or set the property's value.

Non-static properties seem to be unaffected by this bug.

It doesn't seem particularly dangerous, but I thought I'd report it just the same.

Test script:
---------------
<?php class exampleclass {
private static $staticprivate = "test #0";
protected static $staticprotected = "test #1";
private $private = "test #2";
protected $protected = "test #3"; }

$test0 = "\0exampleclass\0staticprivate";
$test1 = "\0*\0staticprotected";
$test2 = "\0exampleclass\0private";
$test3 = "\0*\0protected";

$object = new exampleclass;

echo exampleclass::$$test0;//test #0
echo exampleclass::$$test1;//test #1
echo $object->$test2;//<b>Fatal error</b>:  Cannot access property started with '\0' in ...
echo $object->$test3;//<b>Fatal error</b>:  Cannot access property started with '\0' in ...

echo $object->{"\0*\0private"};//<b>Fatal error</b>:  Cannot access property started with '\0' in ...
echo $object->{"\0*\0protected"};//<b>Fatal error</b>:  Cannot access property started with '\0' in ...

Expected result:
----------------
All six echo()s should cause a fatal error.

Actual result:
--------------
Only the last four echo()s cause a fatal error.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-08-18 14:41 UTC] johannes@php.net
-Status: Open +Status: Bogus
 [2011-08-18 14:41 UTC] johannes@php.net
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

If one shoots oneself in the foot that's ok. If people really want to bypass such checks we don't prevent them. They aren't a security thing or something but a help to structure and isolate code. For reading out there are things like var_dump() which give access to them, too.
 [2011-08-18 14:47 UTC] 0gb dot us at 0gb dot us
I just realized a smaller script would have gotten the point across better. Sorry.

<?php class exampleclass {
private static $staticprivate = "test #0";
protected static $staticprotected = "test #1"; }

$test0 = "\0exampleclass\0staticprivate";
$test1 = "\0*\0staticprotected";

echo exampleclass::$$test0;//test #0
echo exampleclass::$$test1;//test #1
 [2011-08-18 14:51 UTC] 0gb dot us at 0gb dot us
Opps, I posted that note before I saw your response. You were quick! Thanks for the information, and have a nice day.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Oct 31 22:01:27 2024 UTC