php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75348 Private/protected property disclosure
Submitted: 2017-10-10 03:58 UTC Modified: 2021-07-12 08:26 UTC
Votes:2
Avg. Score:4.0 ± 1.0
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:2 (100.0%)
From: anrdaemon at freemail dot ru Assigned: nikic (profile)
Status: Closed Package: *General Issues
PHP Version: 7.2.0RC3 OS: All
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
22 + 44 = ?
Subscribe to this entry?

 
 [2017-10-10 03:58 UTC] anrdaemon at freemail dot ru
Description:
------------
It is possible to access values (and names to an extent) of all object properties regardless their access level using reset/end/each.

This behavior also prevents the expected behavior from using reset/next/current with clasess implementing Iterator/ArrayAccess interfaces.

Test script:
---------------
<?php

class MyClass
{
  private $var1 = 'Some value 1';
  protected $var2 = 'Some value 2';
  protected $var3 = 'Some value 3';
}

$obj = new MyClass;
foreach($obj as $key => $value)
{
  print "$key => $value\n";
}
reset($obj);
while($val = each($obj)) print_r($val);


Expected result:
----------------
No output.

Actual result:
--------------
The class content is dumped from second loop.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-10-10 04:06 UTC] googleguy@php.net
The array pointer functions really should just throw a type error here instead of blindly casting the object to an array. HHVM gets it right, why shouldn't we? I thought we were supposed to more aligned in implementation.
 [2017-10-10 04:11 UTC] requinix@php.net
Probably BC, though there's a warning that each() on an object is undefined. And the whole function is deprecated anyways.
 [2017-10-12 00:11 UTC] anrdaemon at freemail dot ru
each() may be deprecated, but reset() and end() still let you access the respective properties of an object.
 [2021-07-12 08:26 UTC] nikic@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: nikic
 [2021-07-12 08:26 UTC] nikic@php.net
All IAP functions on objects are deprecated as of PHP 8.1 (https://wiki.php.net/rfc/deprecations_php_8_1#key_current_next_prev_reset_on_objects), so I consider this resolved. (The "each" function in particular has already been removed entirely in PHP 8.0.)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 08:01:27 2024 UTC