http_build_query adds %00 everywhere and allows people to see every members..

Bug #26817	http_build_query adds %00 everywhere and allows people to see every members..
Submitted:	2004-01-06 12:35 UTC	Modified:	2004-01-06 15:02 UTC
From:	nicos@php.net	Assigned:	iliaa (profile)
Status:	Closed	Package:	*Network Functions
PHP Version:	5CVS-2004-01-06 (dev)	OS:	Any
Private report:	No	CVE-ID:	None

[2004-01-06 12:35 UTC] nicos@php.net

Description:
------------
The http_build_query() function allows people to see every members of an object (even private/protected) and it adds strange %00 in the result after every private member (like \0 is converted in hex.).

Reproduce code:
---------------
class test { 
private $foo;
private $bar;

function __constructor() {
$bar = 'meuh';
$foo = 'lala';
}

$obj = new test;
var_dump(http_build_query($obj));

Expected result:
----------------
It should ignore privates/protected.

Actual result:
--------------
It doesn't ignore private/protected and it adds %00 at the end of every private/protected members.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2004-01-06 15:02 UTC] iliaa@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

[2015-07-10 11:33 UTC] spam2 at rhsoft dot net

Related To: Bug #70039

[2015-07-10 13:21 UTC] spam2 at rhsoft dot net

Related To: Bug #70039