go to bug id or search bugs for
It is possible to invoke class autoloaders with invalid class names leading to
potential security issues. Classes can contain alphaumeric, underscore and
backslash characters. However, code like:
$foo = new $class
where $class might contain any arbitrary string will cause the autoloader stack
to be called even if the $class variable contained invalid characters for a
This could lead to various file inclusion issues as detailed in
However, it is not reasonable for classloaders to validate the class name passed
to it via PHP for valid classname characters. Doing so would be an incredible
burden on performance ever increasing with the size of the autoloader stack.
I suggest that PHP validate the characters of the class before deciding to call
the autoloader stack or not.
Add a Patch
Add a Pull Request
As indicated in the blog post linked in the issue report, a few functions are
affected (ie they can trigger the autoload function with an invalid class name):
I suggest not creating a class from arbitrary strings you pick up from the
internet . . .
Looks like this bug was fixed at some point in 5.4.
Indeed, this issue has been resolved as of PHP 5.4.24 and PHP
| Added validation of class names in the autoload process.