php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #74545 Casting arrays to objects allows creation of attributes that start with \0
Submitted: 2017-05-05 08:58 UTC Modified: 2021-11-08 18:26 UTC
Votes:5
Avg. Score:4.2 ± 1.0
Reproduced:4 of 4 (100.0%)
Same Version:2 (50.0%)
Same OS:1 (25.0%)
From: daniil at daniil dot it Assigned:
Status: Verified Package: Class/Object related
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: daniil at daniil dot it
New email:
PHP Version: OS:

 

 [2017-05-05 08:58 UTC] daniil at daniil dot it
Description:
------------
Similar to #67300.
Due to the reasons described in http://stackoverflow.com/a/5484777, we cannot read or write to/from class attributes with names that start with \0 (chr(0) or the null char).

But casting arrays with keys that start with \0 to objects does not throw any kind of error or exception.

If the resulting object is var_dumped, Illegal member variable name notices are emitted.
The same happens if we iterate over the object using foreach.
If we try to access any of such properties directly, we get a fatal error with message "Cannot access property started with '\0'".

But, if we reconvert the object back to an array using get_object_vars or an array cast, the values can still be read.


Test script:
---------------
<?php
$object = (object)[chr(0).'a' => 'a', chr(0) => 'b'];

var_dump($object);

echo "\nenum properties:\n";
foreach ($object as $p => $v) {
    var_export($p);
}

echo "\nget value under key chr(0) with get_object_vars()\n";
var_dump(get_object_vars($object)[chr(0)]);
echo "\nget value under key chr(0).'a' with get_object_vars()\n";
var_dump(get_object_vars($object)[chr(0).'a']);

echo "\nget value under key chr(0) with array cast\n";
var_dump(((array)$object)[chr(0)]);
echo "\nget value under key chr(0).'a' with array cast\n";
var_dump(((array)$object)[chr(0).'a']);

echo "\nget value under key chr(0) directly\n";
var_dump($object->{chr(0)}); // FATAL ERROR

Expected result:
----------------
A fatal error while casting such arrays, or, if possible, removal of the code that prevents accessing properties that start with \0.

Actual result:
--------------
object(stdClass)#1 (2) {
PHP Notice:  Illegal member variable name in /home/pwrtelegram/aaa.php on line 4
  ["a"]=>
  string(1) "c"
PHP Notice:  Illegal member variable name in /home/pwrtelegram/aaa.php on line 4
  [""]=>
  string(1) "b"
}

enum properties:
PHP Notice:  Illegal member variable name in /home/pwrtelegram/aaa.php on line 7
PHP Notice:  Illegal member variable name in /home/pwrtelegram/aaa.php on line 7

get value under key chr(0) with get_object_vars()
string(1) "b"

get value under key chr(0).'a' with get_object_vars()
string(1) "c"

get value under key chr(0) with array cast
string(1) "b"

get value under key chr(0).'a' with array cast
string(1) "c"

get value under key chr(0) directly
PHP Fatal error:  Uncaught Error: Cannot access property started with '\0' in /home/pwrtelegram/aaa.php:22
Stack trace:
#0 {main}
  thrown in /home/pwrtelegram/aaa.php on line 22

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-05-05 12:12 UTC] daniil at daniil dot it
Whoops, the object cast is actually
$object = (object)[chr(0).'a' => 'c', chr(0) => 'b'];
 [2021-11-08 18:26 UTC] cmb@php.net
-Status: Open +Status: Verified -Type: Bug +Type: Documentation Problem
 [2021-11-08 18:26 UTC] cmb@php.net
> But casting arrays with keys that start with \0 to objects does
> not throw any kind of error or exception.

Not quite sure what to do about this.  While it is unfortunate,
that there is no notice, I wouldn't call it bug – more a feature
request.  However, it might be more important to document the
behavior, so switching to doc problem for now.
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Mon Dec 06 06:03:37 2021 UTC