On Mon, Apr 20, 2015 at 12:21 AM, Stanislav Malyshev <smalys...@gmail.com>
wrote:
> Hi!
>
> > Just a simple use case showing how dangerous that is :
> >
> > <?php
> > $p = function($p) { $this->$p = new Stdclass; };
> > $p->call($e = new Exception, 'trace');
> > throw $e;
>
> Yes, this is not good, and this is the consequence of allowing to rebind
> closures. I'm not sure though how to fix it except for banning closures
> from assuming scope of internal classes. If you assigned the scope of
> Exception to it, it should have access to Exception - that's how the
> scope works.
>
> > For User classes, this could lead to information leaks or bad behaviors,
>
> I'm not sure what you mean by "information leaks", but the behavior is
> on whoever wrote that code. People can write bad code, we can't disallow
> this. We can restrict things that would really break (like segfault) but
> I'm not sure what else we can do here. If you have the scope of the
> class, that implies access to the private members of the class. So we
> either have to not let the closure have the scope, or invent some
> additional term of scope' that is not like real scope. I don't think
> it'd be good.
>
Yup Stas.
Perhaps the best thing to do is to forbid rebinding a Closure to an
internal class ?
I'm sure we could find segfaulting behaviors using such a trick on most of
our internals classes, aka mysqli, simplexmlelement, PDO or SPL classes.
Thoughts ?
Julien.P
