PHP :: Doc Bug #74545 :: Casting arrays to objects allows creation of attributes that start with \0

Casting arrays to objects allows creation of attributes that start with \0

Submitted:

2017-05-05 08:58 UTC

Modified:

2021-11-08 18:26 UTC

Votes:	5
Avg. Score:	4.2 ± 1.0
Reproduced:	4 of 4 (100.0%)
Same Version:	2 (50.0%)
Same OS:	1 (25.0%)

From:

daniil at daniil dot it

Assigned:

Status:

Verified

Package:

Class/Object related

PHP Version:

Irrelevant

OS:

Private report:

CVE-ID:

None

View Developer Edit

[2017-05-05 08:58 UTC] daniil at daniil dot it

Description:
------------
Similar to #67300.
Due to the reasons described in http://stackoverflow.com/a/5484777, we cannot read or write to/from class attributes with names that start with \0 (chr(0) or the null char).

But casting arrays with keys that start with \0 to objects does not throw any kind of error or exception.

If the resulting object is var_dumped, Illegal member variable name notices are emitted.
The same happens if we iterate over the object using foreach.
If we try to access any of such properties directly, we get a fatal error with message "Cannot access property started with '\0'".

But, if we reconvert the object back to an array using get_object_vars or an array cast, the values can still be read.


Test script:
---------------
<?php
$object = (object)[chr(0).'a' => 'a', chr(0) => 'b'];

var_dump($object);

echo "\nenum properties:\n";
foreach ($object as $p => $v) {
    var_export($p);
}

echo "\nget value under key chr(0) with get_object_vars()\n";
var_dump(get_object_vars($object)[chr(0)]);
echo "\nget value under key chr(0).'a' with get_object_vars()\n";
var_dump(get_object_vars($object)[chr(0).'a']);

echo "\nget value under key chr(0) with array cast\n";
var_dump(((array)$object)[chr(0)]);
echo "\nget value under key chr(0).'a' with array cast\n";
var_dump(((array)$object)[chr(0).'a']);

echo "\nget value under key chr(0) directly\n";
var_dump($object->{chr(0)}); // FATAL ERROR

Expected result:
----------------
A fatal error while casting such arrays, or, if possible, removal of the code that prevents accessing properties that start with \0.

Actual result:
--------------
object(stdClass)#1 (2) {
PHP Notice:  Illegal member variable name in /home/pwrtelegram/aaa.php on line 4
  ["a"]=>
  string(1) "c"
PHP Notice:  Illegal member variable name in /home/pwrtelegram/aaa.php on line 4
  [""]=>
  string(1) "b"
}

enum properties:
PHP Notice:  Illegal member variable name in /home/pwrtelegram/aaa.php on line 7
PHP Notice:  Illegal member variable name in /home/pwrtelegram/aaa.php on line 7

get value under key chr(0) with get_object_vars()
string(1) "b"

get value under key chr(0).'a' with get_object_vars()
string(1) "c"

get value under key chr(0) with array cast
string(1) "b"

get value under key chr(0).'a' with array cast
string(1) "c"

get value under key chr(0) directly
PHP Fatal error:  Uncaught Error: Cannot access property started with '\0' in /home/pwrtelegram/aaa.php:22
Stack trace:
#0 {main}
  thrown in /home/pwrtelegram/aaa.php on line 22

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-05-05 12:12 UTC] daniil at daniil dot it

Whoops, the object cast is actually
$object = (object)[chr(0).'a' => 'c', chr(0) => 'b'];

[2021-11-08 18:26 UTC] cmb@php.net

-Status: Open +Status: Verified -Type: Bug +Type: Documentation Problem

[2021-11-08 18:26 UTC] cmb@php.net

> But casting arrays with keys that start with \0 to objects does
> not throw any kind of error or exception.

Not quite sure what to do about this.  While it is unfortunate,
that there is no notice, I wouldn't call it bug – more a feature
request.  However, it might be more important to document the
behavior, so switching to doc problem for now.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Nov 30 10:01:28 2024 UTC