summaryrefslogtreecommitdiff
path: root/ext/soap
diff options
context:
space:
mode:
Diffstat (limited to 'ext/soap')
-rw-r--r--ext/soap/php_encoding.c22
-rw-r--r--ext/soap/php_http.c12
-rw-r--r--ext/soap/php_packet_soap.c2
-rw-r--r--ext/soap/php_soap.h2
-rw-r--r--ext/soap/soap.c4
-rw-r--r--ext/soap/tests/bug71610.phpt15
-rw-r--r--ext/soap/tests/bugs/bug38005.phpt2
-rw-r--r--ext/soap/tests/soap12/soap12-test.inc2
8 files changed, 31 insertions, 30 deletions
diff --git a/ext/soap/php_encoding.c b/ext/soap/php_encoding.c
index 1fdc5a8788..803a5cd596 100644
--- a/ext/soap/php_encoding.c
+++ b/ext/soap/php_encoding.c
@@ -1164,13 +1164,8 @@ static xmlNodePtr to_xml_null(encodeTypePtr type, zval *data, int style, xmlNode
static void set_zval_property(zval* object, char* name, zval* val)
{
- zend_class_entry *old_scope;
-
- old_scope = EG(scope);
- EG(scope) = Z_OBJCE_P(object);
- add_property_zval(object, name, val);
+ zend_update_property(Z_OBJCE_P(object), object, name, strlen(name), val);
if (Z_REFCOUNTED_P(val)) Z_DELREF_P(val);
- EG(scope) = old_scope;
}
static zval* get_zval_property(zval* object, char* name, zval *rv)
@@ -1181,15 +1176,15 @@ static zval* get_zval_property(zval* object, char* name, zval *rv)
zend_class_entry *old_scope;
ZVAL_STRING(&member, name);
- old_scope = EG(scope);
- EG(scope) = Z_OBJCE_P(object);
+ old_scope = EG(fake_scope);
+ EG(fake_scope) = Z_OBJCE_P(object);
data = Z_OBJ_HT_P(object)->read_property(object, &member, BP_VAR_IS, NULL, rv);
if (data == &EG(uninitialized_zval)) {
/* Hack for bug #32455 */
zend_property_info *property_info;
property_info = zend_get_property_info(Z_OBJCE_P(object), Z_STR(member), 1);
- EG(scope) = old_scope;
+ EG(fake_scope) = old_scope;
if (property_info != ZEND_WRONG_PROPERTY_INFO && property_info &&
zend_hash_exists(Z_OBJPROP_P(object), property_info->name)) {
zval_ptr_dtor(&member);
@@ -1199,7 +1194,7 @@ static zval* get_zval_property(zval* object, char* name, zval *rv)
return NULL;
}
zval_ptr_dtor(&member);
- EG(scope) = old_scope;
+ EG(fake_scope) = old_scope;
return data;
} else if (Z_TYPE_P(object) == IS_ARRAY) {
zval *data_ptr;
@@ -1218,10 +1213,10 @@ static void unset_zval_property(zval* object, char* name)
zend_class_entry *old_scope;
ZVAL_STRING(&member, name);
- old_scope = EG(scope);
- EG(scope) = Z_OBJCE_P(object);
+ old_scope = EG(fake_scope);
+ EG(fake_scope) = Z_OBJCE_P(object);
Z_OBJ_HT_P(object)->unset_property(object, &member, NULL);
- EG(scope) = old_scope;
+ EG(fake_scope) = old_scope;
zval_ptr_dtor(&member);
} else if (Z_TYPE_P(object) == IS_ARRAY) {
zend_hash_str_del(Z_ARRVAL_P(object), name, strlen(name));
@@ -3512,6 +3507,7 @@ static encodePtr get_array_type(xmlNodePtr node, zval *array, smart_str *type)
ht = Z_ARRVAL_P(array);
ZEND_HASH_FOREACH_VAL_IND(ht, tmp) {
+ ZVAL_DEREF(tmp);
if (Z_TYPE_P(tmp) == IS_OBJECT &&
Z_OBJCE_P(tmp) == soap_var_class_entry) {
zval *ztype;
diff --git a/ext/soap/php_http.c b/ext/soap/php_http.c
index 2baa0fa3ff..7c9183613c 100644
--- a/ext/soap/php_http.c
+++ b/ext/soap/php_http.c
@@ -700,16 +700,6 @@ try_again:
PHP_MD5Update(&md5ctx, (unsigned char*)phpurl->query, strlen(phpurl->query));
}
- /* TODO: Support for qop="auth-int" */
-/*
- if (zend_hash_find(Z_ARRVAL_PP(digest), "qop", sizeof("qop"), (void **)&tmp) == SUCCESS &&
- Z_TYPE_PP(tmp) == IS_STRING &&
- Z_STRLEN_PP(tmp) == sizeof("auth-int")-1 &&
- stricmp(Z_STRVAL_PP(tmp), "auth-int") == 0) {
- PHP_MD5Update(&md5ctx, ":", 1);
- PHP_MD5Update(&md5ctx, HEntity, HASHHEXLEN);
- }
-*/
PHP_MD5Final(hash, &md5ctx);
make_digest(HA2, hash);
@@ -833,8 +823,10 @@ try_again:
Z_TYPE_P(value) == IS_STRING) {
zval *tmp;
if (((tmp = zend_hash_index_find(Z_ARRVAL_P(data), 1)) == NULL ||
+ Z_TYPE_P(tmp) != IS_STRING ||
strncmp(phpurl->path?phpurl->path:"/",Z_STRVAL_P(tmp),Z_STRLEN_P(tmp)) == 0) &&
((tmp = zend_hash_index_find(Z_ARRVAL_P(data), 2)) == NULL ||
+ Z_TYPE_P(tmp) != IS_STRING ||
in_domain(phpurl->host,Z_STRVAL_P(tmp))) &&
(use_ssl || (tmp = zend_hash_index_find(Z_ARRVAL_P(data), 3)) == NULL)) {
smart_str_append(&soap_headers, key);
diff --git a/ext/soap/php_packet_soap.c b/ext/soap/php_packet_soap.c
index c835c84dff..81a8d18b29 100644
--- a/ext/soap/php_packet_soap.c
+++ b/ext/soap/php_packet_soap.c
@@ -385,7 +385,7 @@ int parse_packet_soap(zval *this_ptr, char *buffer, int buffer_size, sdlFunction
} else {
zend_refcounted *garbage = Z_COUNTED_P(return_value);
ZVAL_COPY(return_value, tmp);
- _zval_dtor_func(garbage ZEND_FILE_LINE_CC);
+ zval_dtor_func(garbage);
}
}
}
diff --git a/ext/soap/php_soap.h b/ext/soap/php_soap.h
index 3d032db031..5736f1043a 100644
--- a/ext/soap/php_soap.h
+++ b/ext/soap/php_soap.h
@@ -192,7 +192,7 @@ ZEND_EXTERN_MODULE_GLOBALS(soap)
#define SOAP_GLOBAL(v) ZEND_MODULE_GLOBALS_ACCESSOR(soap, v)
#if defined(ZTS) && defined(COMPILE_DL_SOAP)
-ZEND_TSRMLS_CACHE_EXTERN();
+ZEND_TSRMLS_CACHE_EXTERN()
#endif
extern zend_class_entry* soap_var_class_entry;
diff --git a/ext/soap/soap.c b/ext/soap/soap.c
index ee41ff908f..c842ce5119 100644
--- a/ext/soap/soap.c
+++ b/ext/soap/soap.c
@@ -467,7 +467,7 @@ zend_module_entry soap_module_entry = {
#ifdef COMPILE_DL_SOAP
#ifdef ZTS
-ZEND_TSRMLS_CACHE_DEFINE();
+ZEND_TSRMLS_CACHE_DEFINE()
#endif
ZEND_GET_MODULE(soap)
#endif
@@ -953,9 +953,7 @@ PHP_METHOD(SoapFault, __toString)
line = zend_read_property(soap_fault_class_entry, this_ptr, "line", sizeof("line")-1, 1, &rv4);
fci.size = sizeof(fci);
- fci.function_table = &Z_OBJCE_P(getThis())->function_table;
ZVAL_STRINGL(&fci.function_name, "gettraceasstring", sizeof("gettraceasstring")-1);
- fci.symbol_table = NULL;
fci.object = Z_OBJ(EX(This));
fci.retval = &trace;
fci.param_count = 0;
diff --git a/ext/soap/tests/bug71610.phpt b/ext/soap/tests/bug71610.phpt
new file mode 100644
index 0000000000..4f1c7162ff
--- /dev/null
+++ b/ext/soap/tests/bug71610.phpt
@@ -0,0 +1,15 @@
+--TEST--
+SOAP Bug #71610 - Type Confusion Vulnerability - SOAP / make_http_soap_request()
+--SKIPIF--
+<?php require_once('skipif.inc'); ?>
+--FILE--
+<?php
+$exploit = unserialize('O:10:"SoapClient":3:{s:3:"uri";s:1:"a";s:8:"location";s:19:"http://testuri.org/";s:8:"_cookies";a:1:{s:8:"manhluat";a:3:{i:0;s:0:"";i:1;N;i:2;N;}}}}');
+try {
+$exploit->blahblah();
+} catch(SoapFault $e) {
+ echo $e->getMessage()."\n";
+}
+?>
+--EXPECT--
+looks like we got no XML document
diff --git a/ext/soap/tests/bugs/bug38005.phpt b/ext/soap/tests/bugs/bug38005.phpt
index 6a4fb2580b..219696c263 100644
--- a/ext/soap/tests/bugs/bug38005.phpt
+++ b/ext/soap/tests/bugs/bug38005.phpt
@@ -6,7 +6,7 @@ Bug #38005 (SoapFault faultstring doesn't follow encoding rules)
soap.wsdl_cache_enabled=0
--FILE--
<?php
-function Test($param) {
+function Test($param=NULL) {
return new SoapFault('Test', 'This is our fault: Ä');
}
diff --git a/ext/soap/tests/soap12/soap12-test.inc b/ext/soap/tests/soap12/soap12-test.inc
index fbdc855a7e..e27712241f 100644
--- a/ext/soap/tests/soap12/soap12-test.inc
+++ b/ext/soap/tests/soap12/soap12-test.inc
@@ -90,7 +90,7 @@ class Soap12test {
return count($input);
}
- function isNil($input) {
+ function isNil($input=NULL) {
return is_null($input);
}
View Lorry Controller Status