|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74758 \Closure::call allows full access to private properties
Submitted: 2017-06-14 08:53 UTC Modified: 2017-06-14 19:27 UTC
From: martijn at openbsd dot org Assigned:
Status: Not a bug Package: Class/Object related
PHP Version: 7.0.20 OS: Irrelevant
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: martijn at openbsd dot org
New email:
PHP Version: OS:


 [2017-06-14 08:53 UTC] martijn at openbsd dot org
\Closure::call allows full access to private properties when the closure contains $this->...

Test script:
class A {
        private $C = 1;
        private function B() {
                return "B";

$a = new A;

$b = function() {
        return $this->B();

$c = function() {
        $this->C = 2;


Expected result:
PHP Fatal error:  Uncaught Error: Call to private method A::B() from context '' in /tmp/test.php:22

Actual result:
string(1) "B"
object(A)#1 (1) {


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2017-06-14 19:16 UTC]
-Type: Security +Type: Bug
 [2017-06-14 19:16 UTC]
Not a security issue, PPP is not a security measure.
 [2017-06-14 19:27 UTC]
-Status: Open +Status: Not a bug
 [2017-06-14 19:27 UTC]
This is expected behavior, see

> The “bound object” determines the value $this will have in the function body and the “class scope” represents a class which determines which private and protected members the anonymous function will be able to access.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Jul 18 05:01:28 2024 UTC