From 9ee41d241455bc7af83b7639e116b7034755887c Mon Sep 17 00:00:00 2001
From: Jakub Vrana <vrana@php.net>
Date: Wed, 21 Nov 2007 15:39:18 +0000
Subject: [PATCH] Dangerous characters in class name (bug #42744)

git-svn-id: https://svn.php.net/repository/phpdoc/en/trunk@246618 c90b9560-bf6c-de11-be94-00142212c4b1
---
 language/oop5/autoload.xml | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/language/oop5/autoload.xml b/language/oop5/autoload.xml
index 85cb389b5f..e2496defd0 100644
--- a/language/oop5/autoload.xml
+++ b/language/oop5/autoload.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="iso-8859-1"?>
-<!-- $Revision: 1.8 $ -->
+<!-- $Revision: 1.9 $ -->
  <sect1 xml:id="language.oop5.autoload" xmlns="http://docbook.org/ns/docbook">
   <title>Autoloading Objects</title>
   <para>
@@ -28,6 +28,14 @@
     <link linkend="features.commandline">interactive mode</link>.
    </para>
   </note>
+  <note>
+   <para>
+    If the class name is used e.g. in <function>call_user_func</function> then
+    it can contain some dangerous characters such as <literal>../</literal>.
+    It is recommended to not use the user-input in such functions or at least
+    verify the input in <function>__autoload</function>.
+   </para>
+  </note>
   <para>
    <example>
     <title>Autoload example</title>