php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #64007 There is an ability to create instance of Generator by hand
Submitted: 2013-01-16 12:37 UTC Modified: 2013-01-19 09:02 UTC
From: lisachenko dot it at gmail dot com Assigned: laruence
Status: Closed Package: Reflection related
PHP Version: 5.5.0alpha2 OS: Windows 7 x64
Private report: No CVE-ID:
 [2013-01-16 12:37 UTC] lisachenko dot it at gmail dot com
Description:
------------
Generator is an internal class, so there shouldn't be an ability to create it by hand. However, the Generator class doesn't have a private constructor and instance of it can be created via ReflectionClass. 
Solution: add a private constructor for this class to prevent instantiation (like for Closure class).

Test script:
---------------
$reflection = new ReflectionClass('Generator');
$generator  = $reflection->newInstance();
var_dump($generator);

Expected result:
----------------
Expected ReflectionException that restricts an object instantiation.
 
Fatal error: Uncaught exception 'ReflectionException' with message 'Access to non-public constructor of class Generator'

Actual result:
--------------
Generator object created:
object(Generator)#2 (0) { }

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-01-16 12:50 UTC] nikic@php.net
Looks like a bug in Reflection. It should get the constructor through the `get_constructor` handler, not from the class property.
 [2013-01-17 10:07 UTC] laruence@php.net
agree, I will make a patch
 [2013-01-17 10:07 UTC] laruence@php.net
-Assigned To: +Assigned To: laruence
 [2013-01-17 10:40 UTC] laruence@php.net
@nikic, after a digging,  I think it's better to make a private constructor for 
generators. here is the reason:

refelction_class->newInstance used to throw exception while the constructor is 
non-public..

if change to get_constructor,  boom~  FATAL ERROR.
 [2013-01-17 10:40 UTC] laruence@php.net
-Assigned To: laruence +Assigned To: nikic
 [2013-01-17 18:21 UTC] nikic@php.net
@laruence: Imho `new Foo($bar)` and `(new ReflectionClass('Foo'))->newInstance($bar)` should behave the same. So if the constructor throws a fatal error then the constructor invoked through reflection should also throw a fatal error.

If reflection doesn't go through get_constructor then it won't work correctly if that handler is overloaded. It just works so well right now because nearly noone overrides get_constructor.
 [2013-01-19 09:02 UTC] laruence@php.net
-Status: Assigned +Status: Closed
 [2013-01-19 09:02 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f7b99c481d0a943d922e99ad9afa82c45193030e
Log: Fixed bug #64007 (There is an ability to create instance of Generator by hand).
 [2013-01-19 09:02 UTC] laruence@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2013-01-19 09:02 UTC] laruence@php.net
-Status: Closed +Status: Assigned -Assigned To: nikic +Assigned To: laruence
 [2013-01-19 09:04 UTC] laruence@php.net
-Status: Assigned +Status: Closed
 [2013-01-19 09:04 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f7b99c481d0a943d922e99ad9afa82c45193030e
Log: Fixed bug #64007 (There is an ability to create instance of Generator by hand).
 [2013-11-17 09:31 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f7b99c481d0a943d922e99ad9afa82c45193030e
Log: Fixed bug #64007 (There is an ability to create instance of Generator by hand).
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 16 10:02:09 2014 UTC