php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #67713 loosen the restrictions on ReflectionClass::newInstanceWithoutConstructor()
Submitted: 2014-07-30 08:39 UTC Modified: 2014-07-30 08:52 UTC
From: tyrael@php.net Assigned: tyrael
Status: Closed Package: Reflection related
PHP Version: 5.6.0RC2 OS:
Private report: No CVE-ID:
 [2014-07-30 08:39 UTC] tyrael@php.net
Description:
------------
with the removal of the unserialize O: bypass in https://bugs.php.net/bug.php?id=67072 now a bunch of userland tools are broken with 5.6, as there is no easy way to instantiate internal classes without calling their constructors.
as explained on the mailing list(http://www.serverphorums.com/read.php?7,959450,987654#msg-987654) and in the pull request(https://github.com/php/php-src/pull/733), the current limitation in the Reflection::newInstanceWithoutConstructor() method is rather arbitrary, so making it less rigid would allow the affected userland libs/tools to have a clear upgrade path.


Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-07-30 08:39 UTC] tyrael@php.net
-Assigned To: +Assigned To: tyrael
 [2014-07-30 08:52 UTC] tyrael@php.net
-Status: Assigned +Status: Closed
 [2014-07-30 08:52 UTC] tyrael@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Wed Apr 26 23:01:37 2017 UTC