php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75348 Private/protected property disclosure
Submitted: 2017-10-10 03:58 UTC Modified: 2017-10-10 04:11 UTC
Votes:2
Avg. Score:4.0 ± 1.0
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:2 (100.0%)
From: anrdaemon at freemail dot ru Assigned:
Status: Open Package: *General Issues
PHP Version: 7.2.0RC3 OS: All
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
MUST BE VALID
Solve the problem:
9 - 4 = ?
Subscribe to this entry?

 
 [2017-10-10 03:58 UTC] anrdaemon at freemail dot ru
Description:
------------
It is possible to access values (and names to an extent) of all object properties regardless their access level using reset/end/each.

This behavior also prevents the expected behavior from using reset/next/current with clasess implementing Iterator/ArrayAccess interfaces.

Test script:
---------------
<?php

class MyClass
{
  private $var1 = 'Some value 1';
  protected $var2 = 'Some value 2';
  protected $var3 = 'Some value 3';
}

$obj = new MyClass;
foreach($obj as $key => $value)
{
  print "$key => $value\n";
}
reset($obj);
while($val = each($obj)) print_r($val);


Expected result:
----------------
No output.

Actual result:
--------------
The class content is dumped from second loop.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-10-10 04:06 UTC] googleguy@php.net
The array pointer functions really should just throw a type error here instead of blindly casting the object to an array. HHVM gets it right, why shouldn't we? I thought we were supposed to more aligned in implementation.
 [2017-10-10 04:11 UTC] requinix@php.net
Probably BC, though there's a warning that each() on an object is undefined. And the whole function is deprecated anyways.
 [2017-10-12 00:11 UTC] anrdaemon at freemail dot ru
each() may be deprecated, but reset() and end() still let you access the respective properties of an object.
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sat Jun 19 16:01:23 2021 UTC