Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:85855
Return-Path: <julienpauli@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 35290 invoked from network); 17 Apr 2015 16:11:46 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 17 Apr 2015 16:11:46 -0000
Authentication-Results: pb1.pair.com header.from=julienpauli@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=julienpauli@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.212.180 as permitted sender)
X-PHP-List-Original-Sender: julienpauli@gmail.com
X-Host-Fingerprint: 209.85.212.180 mail-wi0-f180.google.com  
Received: from [209.85.212.180] ([209.85.212.180:37986] helo=mail-wi0-f180.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 40/B0-39957-0C031355 for <internals@lists.php.net>; Fri, 17 Apr 2015 12:11:44 -0400
Received: by wiun10 with SMTP id n10so25872187wiu.1
        for <internals@lists.php.net>; Fri, 17 Apr 2015 09:11:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:from:date:message-id:subject:to:content-type;
        bh=I3CckMzFeG5G92XxwLehVIKIy0dXomVmNl8ziaiSQIo=;
        b=V3m/2RKkpLSkQXoUplobHi68V/Y6CKMuqhVQ56e8DpBxBQmmZn425Jdcu7jnzX2noi
         JffpSxSe4iJDp1wlzyCAa4uUfICmjvOy7p+B8OXSzVaWGNrpf3SY6/RL3y3oDQPQrje1
         l0Ja2gqCZ/99tk3p0vtC+ES7sJmq69lI8ZWZs3feFaqm3g78WBkoGcdfbTmQ7DAYWepN
         S9j9psIlUHQEfc8fhK6i5UlIPWZ4rUXxW185hfEJUhGXJI5Xz8o374Bf8QDXOjuXfVyN
         NWub9Q5KzgR3H9p5h1bz2Ip5Go+yR3+Kvvu1ylB8ACOW+/ntbz+a3ZxepSNEYZ3YYsLe
         rrUQ==
X-Received: by 10.194.142.232 with SMTP id rz8mr7436313wjb.78.1429287101728;
 Fri, 17 Apr 2015 09:11:41 -0700 (PDT)
MIME-Version: 1.0
Sender: julienpauli@gmail.com
Received: by 10.194.198.210 with HTTP; Fri, 17 Apr 2015 09:11:01 -0700 (PDT)
Date: Fri, 17 Apr 2015 18:11:01 +0200
X-Google-Sender-Auth: iyTVcy32pMafKOcF5dj94bYH7-Q
Message-ID: <CAMUwpuTZK=zqHcWG21DA5fUSODuq6njyx9+RUtQR0gQu02a5AQ@mail.gmail.com>
To: Andrew Faulds <ajf@ajf.me>, PHP Internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=089e011829e2fb0de20513edd5ea
Subject: Closure::call() to access private data, really ?
From: jpauli@php.net (Julien Pauli)

--089e011829e2fb0de20513edd5ea
Content-Type: text/plain; charset=UTF-8

Just a simple use case showing how dangerous that is :

<?php
$p = function($p) { $this->$p = new Stdclass; };
$p->call($e = new Exception, 'trace');
throw $e;


That nearly crashes PHP7.
http://3v4l.org/fJj22

(The same trick using Reflection with PHP5 crashes the engine, this is a
known bug that we chose not to fix).


I am absolutely not confident at all having Closure::call() beeing able to
access private data.

Private is private.

For internal classes, this is even worse, and could lead to crash (look at
the example about Exception).
Changing a variable that is private, is absolutely NOT expected from the
class designer.

For User classes, this could lead to information leaks or bad behaviors,
and for internal classes this is even worse and could easilly segfault or
with a little bit of more magic and brain sauce, lead to memory disclosures.

I would like we re-open the debate about accessign private data with
external code (closure), especially in a write context.


Julien.P

--089e011829e2fb0de20513edd5ea--