summaryrefslogtreecommitdiff
path: root/ext/dom
diff options
context:
space:
mode:
authorChristoph M. Becker <cmbecker69@gmx.de>2021-03-17 12:40:40 +0100
committerChristoph M. Becker <cmbecker69@gmx.de>2021-03-17 12:40:40 +0100
commite65f705ce363bafe3067c47a18300f28b61dd3f5 (patch)
treec492db6d35f99d915434e1a1e3c3cbcdcc67053f /ext/dom
parent709e45d89b35f77d1cdc89f57a8150fc6c9b859c (diff)
parentfddd0ac5520916b6ea3852b6b0d75b1f7ede8095 (diff)
downloadphp-git-e65f705ce363bafe3067c47a18300f28b61dd3f5.tar.gz
Merge branch 'PHP-8.0'
* PHP-8.0: Fix #66783: UAF when appending DOMDocument to element
Diffstat (limited to 'ext/dom')
-rw-r--r--ext/dom/php_dom.c10
-rw-r--r--ext/dom/tests/bug66783.phpt19
2 files changed, 26 insertions, 3 deletions
diff --git a/ext/dom/php_dom.c b/ext/dom/php_dom.c
index 9dcb79e398..618b2fe7d0 100644
--- a/ext/dom/php_dom.c
+++ b/ext/dom/php_dom.c
@@ -1241,9 +1241,13 @@ int dom_hierarchy(xmlNodePtr parent, xmlNodePtr child)
{
xmlNodePtr nodep;
- if (parent == NULL || child == NULL || child->doc != parent->doc) {
- return SUCCESS;
- }
+ if (parent == NULL || child == NULL || child->doc != parent->doc) {
+ return SUCCESS;
+ }
+
+ if (child->type == XML_DOCUMENT_NODE) {
+ return FAILURE;
+ }
nodep = parent;
diff --git a/ext/dom/tests/bug66783.phpt b/ext/dom/tests/bug66783.phpt
new file mode 100644
index 0000000000..98981a88f6
--- /dev/null
+++ b/ext/dom/tests/bug66783.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Bug #66783 (UAF when appending DOMDocument to element)
+--SKIPIF--
+<?php
+if (!extension_loaded('dom')) die('skip dom extension not available');
+?>
+--FILE--
+<?php
+$doc = new DomDocument;
+$doc->loadXML('<root></root>');
+$e = $doc->createElement('e');
+try {
+ $e->appendChild($doc);
+} catch (DOMException $ex) {
+ echo $ex->getMessage(), PHP_EOL;
+}
+?>
+--EXPECTF--
+Hierarchy Request Error
View Lorry Controller Status