yii2: BaseObject and Component Magic Methods do not conform to PHP Visibility: protected setters accessible publicly

What steps will reproduce the problem?

Make a subclass of Component with a private property and protected getter and protected setter.

$obj->getMyProperty();    // will fail
$obj->setMyProperty("new value");   //will fail

$value = $obj->MyProperty;   //is successful and does not fail
$obj->MyProperty = "new value";   //is successful and does not fail

The problem is that method_exists disregards the public/protected/private status of methods and only says if they exist. A further step must be done to determine if the method is public or not.

What is the expected result?

To conform to OOP principles where the property is inaccessible when the getter and setter methods are protected.

What do you get instead?

rather than failure, errors, or NOOP (calling protected methods is NOOP), it produces the MyProperty and sets MyProperty on protected methods by magic method.

Additional info

We found this bug in PRADO, the parent of Yii. I thought I’d be a good Human Being™ and report that this could be a serious bug.

Publicly accessing protected and private properties by magic methods could be a “CRITICAL” security issue for some people.

About this issue

  • Original URL
  • State: open
  • Created a year ago
  • Comments: 31 (16 by maintainers)

Most upvoted comments

and your comment is one reason I raised the issue here. for that feed back.

+1
belisoful on Apr 28, 2023

It feels wrong, cause the method does exist, but is not accessible from outside. If one already switches to a static method, it can have any name.

+1
My6UoT9 on Apr 28, 2023
Read more comments on GitHub
← yii2: BaseHtml::activeHint does not encode hint content
yii2: BC break in ArrayHelper on 2.0.36 →