Doctrine 2 - ORM
  1. Doctrine 2 - ORM
  2. DDC-1598

ProxyFactory makes assumptions on identifier getter code

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Critical Critical
    • Resolution: Invalid
    • Affects Version/s: 2.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.1, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.2-BETA1, 2.2-BETA2, Git Master
    • Fix Version/s: 2.2, 2.3, 2.x
    • Component/s: ORM
    • Security Level: All
    • Labels:
      None

      Description

      As of
      https://github.com/doctrine/doctrine2/blob/master/lib/Doctrine/ORM/Proxy/ProxyFactory.php#L214
      and
      https://github.com/doctrine/doctrine2/blob/master/lib/Doctrine/ORM/Proxy/ProxyFactory.php#L237
      the current ProxyFactory isn't actually checking if the identifier getter has logic in it.
      Current checks aren't enough/valid.

      In my opinion the check should be matching following:

      (public|protected)\s+function\s+getFieldname\s*(\s*)\s+

      {\s*\$this\s*->Fieldname\s*;\s*}

      Not really experienced with regex, but currently cannot come up with a more secure check.

        Activity

          People

          • Assignee:
            Benjamin Eberlei
            Reporter:
            Marco Pivetta
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: