From: drak at zikula dot org Operating system: PHP version: 5.3.15 Package: SPL related Bug Type: Bug Bug description:Autoloaders are invoked with invalid class names
Description:
------------
It is possible to invoke class autoloaders with invalid class names leading
to
potential security issues. Classes can contain alphaumeric, underscore and
backslash characters. However, code like:
$foo = new $class
where $class might contain any arbitrary string will cause the autoloader
stack
to be called even if the $class variable contained invalid characters for a
class name.
This could lead to various file inclusion issues as detailed in
http://drak3.devmx.de/blog/2012/08/08/autoloaded-remote-file-inclusion/
However, it is not reasonable for classloaders to validate the class name
passed
to it via PHP for valid classname characters. Doing so would be an
incredible
burden on performance ever increasing with the size of the autoloader
stack.
I suggest that PHP validate the characters of the class before deciding to
call
the autoloader stack or not.
--
Edit bug report at https://bugs.php.net/bug.php?id=62789&edit=1
--
Try a snapshot (PHP 5.4):
https://bugs.php.net/fix.php?id=62789&r=trysnapshot54
Try a snapshot (PHP 5.3):
https://bugs.php.net/fix.php?id=62789&r=trysnapshot53
Try a snapshot (trunk):
https://bugs.php.net/fix.php?id=62789&r=trysnapshottrunk
Fixed in SVN:
https://bugs.php.net/fix.php?id=62789&r=fixed
Fixed in SVN and need be documented:
https://bugs.php.net/fix.php?id=62789&r=needdocs
Fixed in release:
https://bugs.php.net/fix.php?id=62789&r=alreadyfixed
Need backtrace:
https://bugs.php.net/fix.php?id=62789&r=needtrace
Need Reproduce Script:
https://bugs.php.net/fix.php?id=62789&r=needscript
Try newer version:
https://bugs.php.net/fix.php?id=62789&r=oldversion
Not developer issue:
https://bugs.php.net/fix.php?id=62789&r=support
Expected behavior:
https://bugs.php.net/fix.php?id=62789&r=notwrong
Not enough info:
https://bugs.php.net/fix.php?id=62789&r=notenoughinfo
Submitted twice:
https://bugs.php.net/fix.php?id=62789&r=submittedtwice
register_globals:
https://bugs.php.net/fix.php?id=62789&r=globals
PHP 4 support discontinued:
https://bugs.php.net/fix.php?id=62789&r=php4
Daylight Savings: https://bugs.php.net/fix.php?id=62789&r=dst
IIS Stability:
https://bugs.php.net/fix.php?id=62789&r=isapi
Install GNU Sed:
https://bugs.php.net/fix.php?id=62789&r=gnused
Floating point limitations:
https://bugs.php.net/fix.php?id=62789&r=float
No Zend Extensions:
https://bugs.php.net/fix.php?id=62789&r=nozend
MySQL Configuration Error:
https://bugs.php.net/fix.php?id=62789&r=mysqlcfg
