|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2017-06-14 19:16 UTC] stas@php.net
-Type: Security
+Type: Bug
[2017-06-14 19:16 UTC] stas@php.net
[2017-06-14 19:27 UTC] kelunik@php.net
-Status: Open
+Status: Not a bug
[2017-06-14 19:27 UTC] kelunik@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Sun Oct 27 16:01:27 2024 UTC |
Description: ------------ \Closure::call allows full access to private properties when the closure contains $this->... Test script: --------------- <?php class A { private $C = 1; private function B() { return "B"; } } $a = new A; $b = function() { return $this->B(); }; $c = function() { $this->C = 2; }; var_dump($b->call($a)); $c->call($a); var_dump($a); ?> Expected result: ---------------- PHP Fatal error: Uncaught Error: Call to private method A::B() from context '' in /tmp/test.php:22 Actual result: -------------- string(1) "B" object(A)#1 (1) { ["C":"A":private]=> int(2) }