Fix bug #71610: Type Confusion Vulnerability - SOAP / make_http_soap_request()

2 files changed, 17 insertions, 0 deletions

diff --git a/ext/soap/php_http.c b/ext/soap/php_http.c
index 2baa0fa3ff..a2d0b6207d 100644
--- a/ext/soap/php_http.c
+++ b/ext/soap/php_http.c
@@ -833,8 +833,10 @@ try_again:
 						    Z_TYPE_P(value) == IS_STRING) {
 						  zval *tmp;
 						  if (((tmp = zend_hash_index_find(Z_ARRVAL_P(data), 1)) == NULL ||
+							   Z_TYPE_P(tmp) != IS_STRING ||
 						       strncmp(phpurl->path?phpurl->path:"/",Z_STRVAL_P(tmp),Z_STRLEN_P(tmp)) == 0) &&
 						      ((tmp = zend_hash_index_find(Z_ARRVAL_P(data), 2)) == NULL ||
+							   Z_TYPE_P(tmp) != IS_STRING ||
 						       in_domain(phpurl->host,Z_STRVAL_P(tmp))) &&
 						      (use_ssl || (tmp = zend_hash_index_find(Z_ARRVAL_P(data), 3)) == NULL)) {
 								smart_str_append(&soap_headers, key);
diff --git a/ext/soap/tests/bug71610.phpt b/ext/soap/tests/bug71610.phpt
new file mode 100644
index 0000000000..4f1c7162ff
--- /dev/null
+++ b/ext/soap/tests/bug71610.phpt
@@ -0,0 +1,15 @@
+--TEST--
+SOAP Bug #71610 - Type Confusion Vulnerability - SOAP / make_http_soap_request()
+--SKIPIF--
+<?php require_once('skipif.inc'); ?>
+--FILE--
+<?php
+$exploit = unserialize('O:10:"SoapClient":3:{s:3:"uri";s:1:"a";s:8:"location";s:19:"http://testuri.org/";s:8:"_cookies";a:1:{s:8:"manhluat";a:3:{i:0;s:0:"";i:1;N;i:2;N;}}}}');
+try {
+$exploit->blahblah();
+} catch(SoapFault $e) {
+	echo $e->getMessage()."\n";
+}
+?>
+--EXPECT--
+looks like we got no XML document