Home Original page

There is an ability to create instance of Generator by hand

Bug #64007 There is an ability to create instance of Generator by hand
Submitted: 2013-01-16 12:37 UTC Modified: 2013-01-19 09:02 UTC
From: lisachenko dot it at gmail dot com Assigned: laruence (profile)
Status: Closed Package: Reflection related
PHP Version: 5.5.0alpha2 OS: Windows 7 x64
Private report: No CVE-ID: None

 [2013-01-16 12:37 UTC] lisachenko dot it at gmail dot com

Description:
------------
Generator is an internal class, so there shouldn't be an ability to create it by hand. However, the Generator class doesn't have a private constructor and instance of it can be created via ReflectionClass. 
Solution: add a private constructor for this class to prevent instantiation (like for Closure class).

Test script:
---------------
$reflection = new ReflectionClass('Generator');
$generator  = $reflection->newInstance();
var_dump($generator);

Expected result:
----------------
Expected ReflectionException that restricts an object instantiation.
 
Fatal error: Uncaught exception 'ReflectionException' with message 'Access to non-public constructor of class Generator'

Actual result:
--------------
Generator object created:
object(Generator)#2 (0) { }

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

 [2013-01-16 12:50 UTC] nikic@php.net

Looks like a bug in Reflection. It should get the constructor through the `get_constructor` handler, not from the class property.

 [2013-01-17 10:40 UTC] laruence@php.net

@nikic, after a digging,  I think it's better to make a private constructor for 
generators. here is the reason:

refelction_class->newInstance used to throw exception while the constructor is 
non-public..

if change to get_constructor,  boom~  FATAL ERROR.

 [2013-01-17 10:40 UTC] laruence@php.net

-Assigned To: laruence +Assigned To: nikic

 [2013-01-17 18:21 UTC] nikic@php.net

@laruence: Imho `new Foo($bar)` and `(new ReflectionClass('Foo'))->newInstance($bar)` should behave the same. So if the constructor throws a fatal error then the constructor invoked through reflection should also throw a fatal error.

If reflection doesn't go through get_constructor then it won't work correctly if that handler is overloaded. It just works so well right now because nearly noone overrides get_constructor.

 [2013-01-19 09:02 UTC] laruence@php.net

-Status: Closed +Status: Assigned -Assigned To: nikic +Assigned To: laruence