var_export() doesn't escape properties properly
| Bug #55082 | var_export() doesn't escape properties properly | ||||
|---|---|---|---|---|---|
| Submitted: | 2011-06-30 03:26 UTC | Modified: | 2011-06-30 05:27 UTC | ||
| From: | jille at hexon dot cx | Assigned: | cataphract (profile) | ||
| Status: | Closed | Package: | Scripting Engine problem | ||
| PHP Version: | 5.3.6 | OS: | n/a | ||
| Private report: | No | CVE-ID: | None | ||
[2011-06-30 03:26 UTC] jille at hexon dot cx
Description:
------------
var_export() does escape arraykeys properly, but doesn't use the same code for escaping properties. This might lead to code injections (when user-input can be used for a propery name and the var_export()ed code is eval()ed).
This was fixed for arraykeys in #19929 and #25758
Test script:
---------------
<?php
$x = new stdClass();
$x->{'\' => 5)); echo "Hack.\n"; array(array(\''} = 5;
var_export($x);
?>
Expected result:
----------------
stdClass::__set_state(array(
'\' => 5)); echo "Hack.\n"; array(array(\'' => 5,
))
Note the backslashes.
Actual result:
--------------
stdClass::__set_state(array(
'' => 5)); echo "Hack.\n"; array(array('' => 5,
))
Patches
Pull Requests
History
AllCommentsChangesGit/SVN commits
[2011-06-30 05:27 UTC] cataphract@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: cataphract