|
|
|
|
|
|
by sapphirecat
5279 days ago
|
|
|
> I would like to know if PHP's object implementation, which was introduced after their associative arrays, suffers from the same hash collision issues. I was curious myself, so I went digging. Most of this stuff appears in `Zend/zend_object_handlers.c`. For objects with std_object_handlers set up on them (which I assume is most of them), zend_std_read_property can do quite a bit of work: it tries a search of the property info hash zobj->ce, then the zobj->properties hash, and then calling `__get()` with protection against __get loops, then giving up and returning null. zend_hash_quick_find(), as used for these lookups, takes a HashTable* as its first argument, which is also the type of a hash table in zvalue_value. Thus, object properties are associative arrays, though I don't think there's an equivalent severity of attack compared to causing collisions with crafted GET/POST data, as the latter is automatically parsed. You'd have to be able to upload code to make evil objects. Going through this exercise was fun, though: <?php $x=new stdClass();
$x->{"b\0ar"} = 12;
$x->{"b\0"} = 14;
$x->{"\0bar"} = 18; // fatal error ?>
The "property starts '\0'" case is specially checked by the standard property handler, with no explanation... |
|
|