views:

93

answers:

1

I was working on my application and discovered strange behaviour of methods that called statically but not defined as static that extends same class. Eventually this methods can access and alter caller protected variables and methods. Here is example of my code:

<?php

class object
{
    private $version;

    protected $alteredBy = 'nobody';

    public function __construct()
    {
        $this->version    = PHP_VERSION;

        $this->objectName = get_class($this);

        echo sprintf("<pre><strong>New %s Created</strong>", $this->objectName);

    }

    public function __destruct()
    {
        echo sprintf("</pre><strong>Source Code</strong><div>%s</div>", highlight_file(__FILE__, true));
    }
}

class superApplication extends object
{
    public function __toString()
    {
        echo "\nCalling third party object statically like thirdParty::method()\n";

        echo thirdParty::method();

        echo "\nCalling third party object statically via call_user_func()\n";

        echo call_user_func(array('thirdParty','method'));

        echo sprintf("New Object params\n%s", print_r($this, true));

        return sprintf("%s: done\n", $this->objectName);
    }
}

class thirdParty extends object
{    
    public function method()
    {
        if(is_object($this))
        {
            $this->alteredBy = __CLASS__;

            return sprintf(
                "<span style=\"color:red\">Object '%s' was altered successfully by %s class</span>\n", 
                get_class($this),
                __CLASS__
            );
        }
        else return "Cannot access caller object\n\n";        
    }
}

print new superApplication;
?>

This behaviour is not documented, so I'm wondering is it bug or feature and could it lead to security issues?

UPDATE. I'm aware that $this is not allowed inside static methods and this behaviour appeared on php version 5.2.11

+1  A: 

Consider this example in PHP 5.3:

<?php
        error_reporting(E_ALL | E_STRICT);

        class A
        {
                private $a = 'A';
                protected $b= 'B';
                public $c = 'C';
        }

        class B extends A
        {
                public function __construct()
                {
                        var_dump($this->a, $this->b, $this->c);
                        C::test();
                        var_dump($this->a, $this->b, $this->c);
                }
        }

        class C extends A
        {
                public function test()
                {
                        $this->a = null;
                        $this->b = null;
                        $this->c = null;
                }
        }

        new B();
?>

The output is:

PHP Notice:  Undefined property: B::$a in ... on line 15
NULL
string(1) "B"
string(1) "C"
PHP Strict Standards:  Non-static method C::test() should not be called statically, assuming $this from incompatible context in ... on line 16
NULL
NULL
NULL

What happens is that C::test()'s $this pointer is assumed to be the $this from the new B() instance. So it is acting like a member function of B, but with C's access.

It can only access the protected and public variables from A and the public variables from B.

Note that before the call to C::test(), $this->a triggered a notice. After the call, it no longer did, because the variable was created within the call. But at no point were A's private variables accessible.

So yes, this is strictly speaking, considered to be invalid in PHP 5.3. And even if earlier versions let you do this without warning (I didn't check or research that), you should never rely on that behavior as it is obviously an abuse of OOP.

konforce