php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #62789 Autoloaders are invoked with invalid class names
Submitted: 2012-08-09 20:04 UTC Modified: 2015-09-08 14:02 UTC
Votes:5
Avg. Score:4.4 ± 0.5
Reproduced:2 of 3 (66.7%)
Same Version:1 (50.0%)
Same OS:1 (50.0%)
From: drak at zikula dot org Assigned: cmb (profile)
Status: Closed Package: SPL related
PHP Version: 5.3.15 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: drak at zikula dot org
New email:
PHP Version: OS:

 

 [2012-08-09 20:04 UTC] drak at zikula dot org 
Description:
------------
It is possible to invoke class autoloaders with invalid class names leading to 
potential security issues. Classes can contain alphaumeric, underscore and 
backslash characters. However, code like:

    $foo = new $class

where $class might contain any arbitrary string will cause the autoloader stack 
to be called even if the $class variable contained invalid characters for a 
class name.

This could lead to various file inclusion issues as detailed in 
http://drak3.devmx.de/blog/2012/08/08/autoloaded-remote-file-inclusion/

However, it is not reasonable for classloaders to validate the class name passed 
to it via PHP for valid classname characters. Doing so would be an incredible 
burden on performance ever increasing with the size of the autoloader stack.

I suggest that PHP validate the characters of the class before deciding to call 
the autoloader stack or not.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-08-10 07:27 UTC] victor dot berchet at sensiolabs dot com 
As indicated in the blog post linked in the issue report, a few functions are 
affected (ie they can trigger the autoload function with an invalid class name):

- class_exists()
- interface_exists()
- class_parents()
- class_implements()
- is_subclass_of()
 [2013-02-05 17:39 UTC] levim@php.net 
I suggest not creating a class from arbitrary strings you pick up from the 
internet . . .
 [2014-05-30 05:00 UTC] php at danielfriesen dot name 
Looks like this bug was fixed at some point in 5.4.
 [2015-09-08 14:02 UTC] cmb@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: cmb
 [2015-09-08 14:02 UTC] cmb@php.net 
Indeed, this issue has been resolved as of PHP 5.4.24[1] and PHP
5.5.8:

| Added validation of class names in the autoload process.

[1] <http://www.php.net/ChangeLog-5.php#5.4.24>
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 26 02:01:29 2024 UTC