Home/ Questions/Q 547299
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-13T10:57:31+00:00

I’m writing a class that allows you to bridge HTTP requests with class instances

  • 0

I’m writing a class that allows you to bridge HTTP requests with class instances using JSON for data, without any implementation in the class you’re bridging to. Basically this is how it works:

// This is just an ordinary class.
$service = new WeatherService();

$jhi = new JsonHttpInterface($service);
$jhi->exec();

The JsonHttpInterface class will check the PATH_INFO of the request and call that method, applying any query string parameters as arguments.

http://example.com/the_above.php/getWeather?state="CA" would translate to
$service->getWeather("CA") (assuming that the name of the first argument is $state).

This is how the method is found and called:

$method = new ReflectionMethod(get_class($this->instance), $action);
/*
... code that matches query string values to arguments of above method...
*/
$response = $method->invokeArgs($this->instance, $args);

Now what I’m wondering is: what are the vulnerabilities of such a system. I’ve been pretty lenient on error checking, relying on PHP to throw errors when attempting to call non-existent or private/protected methods.

  • Is it possible to cheat the system?
  • Is it possible to pass in an invalid method name that does something other than throw an error?
  • Is it possible to refer to a method in a base class, or any other class?

The full source of JsonHttpInterface is available here: http://blixt.org/js/two-cents.php

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You can achieve the same without using the ReflectionXYZ classes

    call_user_func( array($this->instance, $action) , $args);

    And both are save in the same way, as long as you control what $this->instance is.
    $action is a string that is used to search an entry in the object’s/class’ method hashtable and there’s no magic symbol that can escape the object context (switching to another object). And there’s no parsing involved like e.g. in sql and sql injections.
    Both ReflectionMethod and call_user_func_array() honour the protection level of methods. e.g.

    class Foo {
  public function publicfn() {
    echo 'abc';
  }

  protected function protectedfn() {
    echo 'xyz';
  }
}

$obj = new Foo;
call_user_func_array(array($obj, 'publicfn'), array());
call_user_func_array(array($obj, 'protectedfn'), array());
$ro = new ReflectionMethod($obj, 'protectedfn');
$ro->invokeArgs($obj, array());

    prints

    abc
Warning: call_user_func_array() expects parameter 1 to be a valid callback, cannot access protected method Foo::protectedfn() in blabla on line 14

Fatal error: Uncaught exception 'ReflectionException' with message 'Trying to invoke protected method Foo::protectedfn() from scope ReflectionMethod' in blabla:16
Stack trace:
#0 blabla(16): ReflectionMethod->invokeArgs(Object(Foo), Array)
#1 {main}
  thrown in blabla on line 16

    You might want to look up if this was always the case. There’s e.g. an entry - MFH Fixed bug #37816 (ReflectionProperty does not throw exception when accessing protected attribute). At least it’s true for php 5.3 branch.
    You can always access public methods of any base class of $this->instance.
    You can access protected methods from within the class context, i.e. if $this and $this->instance are of the same/a derived type protected methods of $this->instance are accessible. e.g.

    class Foo {
  protected $instance;
  public function __construct(Foo $instance=null) {
    $this->instance = $instance;
  }
  public function publicfn() {
    if ( !is_null($this->instance)) {
      call_user_func_array( array($this->instance, 'protectedfn'), array());
    }
  }

  protected function protectedfn() {
    echo 'Foo::protectedfn() invoked';
  }
}

class Bar extends Foo {
  protected function protectedfn() {
    echo 'Bar::protectedfn() invoked';
  }
}

$foo = new Foo(new Bar);
$foo->publicfn();

    prints Bar::protectedfn() invoked. But that shouldn’t be too hard to avoid.

    • 0