From: Jani Taskinen <jani@php.net>
Date: Sat, 1 Aug 2009 00:48:04 +0000 (+0000)
Subject: - Fixed bug #49074 (private class static fields can be modified by using reflection)
X-Git-Tag: php-5.3.1RC1~216
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=edbf332cea57dfc1b1d6c94ad01a65b39aa5821c;p=php

- Fixed bug #49074 (private class static fields can be modified by using reflection)
---

diff --git a/NEWS b/NEWS
index 97f1a50577..4ab3b5a1f3 100644
--- a/NEWS
+++ b/NEWS
@@ -1,4 +1,4 @@
-PHP                                                                        NEWS
+PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2009, PHP 5.3.1
 - Fixed spl_autoload_unregister/spl_autoload_functions wrt. Closures and
@@ -8,7 +8,8 @@
 - Fixed signature generation/validation for zip archives in ext/phar. (Greg)
 - Fixed memory leak in stream_is_local(). (Felipe)
 
-- Fixed bug #48880 (Random Appearing open_basedir problem). (Rasmus+Gwynne)
+- Fixed bug #49074 (private class static fields can be modified by using
+  reflection). (Jani)
 - Fixed bug #49108 (2nd scan_dir produces seg fault). (Felipe)
 - Fixed bug #49065 ("disable_functions" php.ini option does not work on 
   Zend extensions). (Stas)
@@ -46,6 +47,7 @@
 - Fixed bug #48854 (array_merge_recursive modifies arrays after first one).
   (Felipe)
 - Fixed bug #48802 (printf() returns incorrect outputted length). (Jani)
+- Fixed bug #48880 (Random Appearing open_basedir problem). (Rasmus, Gwynne)
 - Fixed bug #48791 (open office files always reported as corrupted). (Greg)
 - Fixed bug #48788 (RecursiveDirectoryIterator doesn't descend into symlinked
   directories). (Ilia)
diff --git a/ext/reflection/php_reflection.c b/ext/reflection/php_reflection.c
index d3cd28e8e0..66d61c7370 100644
--- a/ext/reflection/php_reflection.c
+++ b/ext/reflection/php_reflection.c
@@ -3030,6 +3030,7 @@ ZEND_METHOD(reflection_class, getStaticProperties)
 	if (zend_parse_parameters_none() == FAILURE) {
 		return;
 	}
+	
 	GET_REFLECTION_OBJECT_PTR(ce);
 
 	zend_update_class_constants(ce TSRMLS_CC);
@@ -3045,12 +3046,17 @@ ZEND_METHOD(reflection_class, getStaticProperties)
 
 		if (zend_hash_get_current_key_ex(CE_STATIC_MEMBERS(ce), &key, &key_len, &num_index, 0, &pos) != FAILURE && key) {
 			char *prop_name, *class_name;
+			zval *prop_copy;
 
 			zend_unmangle_property_name(key, key_len-1, &class_name, &prop_name);
 
-			zval_add_ref(value);
+			/* copy: enforce read only access */
+			ALLOC_ZVAL(prop_copy);
+			*prop_copy = **value;
+			zval_copy_ctor(prop_copy);
+			INIT_PZVAL(prop_copy);
 
-			zend_hash_update(Z_ARRVAL_P(return_value), prop_name, strlen(prop_name)+1, value, sizeof(zval *), NULL);
+			add_assoc_zval(return_value, prop_name, prop_copy);
 		}
 		zend_hash_move_forward_ex(CE_STATIC_MEMBERS(ce), &pos);
 	}