diff options
| author | Xinchen Hui <laruence@php.net> | 2015-02-27 23:32:32 +0800 |
|---|---|---|
| committer | Xinchen Hui <laruence@php.net> | 2015-02-27 23:32:32 +0800 |
| commit | 997b7e56302710bb3db00b56d0629ac75d73a207 (patch) | |
| tree | c621ba49d8b210fe8f47c970d73dc89346c2d413 | |
| parent | 4eb830b212b3f0c53ed208723520e77a26b13e2b (diff) | |
| download | php-git-997b7e56302710bb3db00b56d0629ac75d73a207.tar.gz | |
Fixed bug #69085 (SoapClient's __call() type confusion through unserialize()).
| -rw-r--r-- | NEWS | 4 | ||||
| -rw-r--r-- | ext/soap/soap.c | 6 | ||||
| -rw-r--r-- | ext/soap/tests/bugs/bug69085.phpt | 17 |
3 files changed, 24 insertions, 3 deletions
@@ -38,6 +38,10 @@ PHP NEWS . Fixed bug #69054 (Null dereference in readline_(read|write)_history() without parameters). (Laruence) +- SOAP: + . Fixed bug #69085 (SoapClient's __call() type confusion through + unserialize()). (andrea dot palazzo at truel dot it, Laruence) + - SPL: . Fixed bug #69108 ("Segmentation fault" when (de)serializing SplObjectStorage). (Laruence) diff --git a/ext/soap/soap.c b/ext/soap/soap.c index daf977e8a3..ffa40072f7 100644 --- a/ext/soap/soap.c +++ b/ext/soap/soap.c @@ -2564,7 +2564,7 @@ static int do_request(zval *this_ptr, xmlDoc *request, char *location, char *act } if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS && - Z_LVAL_PP(trace) > 0) { + Z_TYPE_PP(trace) == IS_LONG && Z_LVAL_PP(trace) > 0) { add_property_stringl(this_ptr, "__last_request", buf, buf_size, 1); } @@ -2599,7 +2599,7 @@ static int do_request(zval *this_ptr, xmlDoc *request, char *location, char *act } ret = FALSE; } else if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS && - Z_LVAL_PP(trace) > 0) { + Z_TYPE_PP(trace) == IS_LONG && Z_LVAL_PP(trace) > 0) { add_property_stringl(this_ptr, "__last_response", Z_STRVAL_P(response), Z_STRLEN_P(response), 1); } zval_ptr_dtor(¶ms[4]); @@ -2904,7 +2904,7 @@ PHP_METHOD(SoapClient, __call) } /* Add default headers */ - if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__default_headers", sizeof("__default_headers"), (void **) &tmp)==SUCCESS) { + if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__default_headers", sizeof("__default_headers"), (void **) &tmp) == SUCCESS && Z_TYPE_PP(tmp) == IS_ARRAY) { HashTable *default_headers = Z_ARRVAL_P(*tmp); if (soap_headers) { if (!free_soap_headers) { diff --git a/ext/soap/tests/bugs/bug69085.phpt b/ext/soap/tests/bugs/bug69085.phpt new file mode 100644 index 0000000000..cb27cfd89e --- /dev/null +++ b/ext/soap/tests/bugs/bug69085.phpt @@ -0,0 +1,17 @@ +--TEST-- +Bug #69085 (SoapClient's __call() type confusion through unserialize()) +--SKIPIF-- +<?php require_once('skipif.inc'); ?> +--INI-- +soap.wsdl_cache_enabled=0 +--FILE-- +<?php + +$dummy = unserialize('O:10:"SoapClient":5:{s:3:"uri";s:1:"a";s:8:"location";s:22:"http://localhost/a.xml";s:17:"__default_headers";i:1337;s:15:"__last_response";s:1:"a";s:5:"trace";s:1:"x";}'); +try { + $dummy->whatever(); +} catch (Exception $e) { + echo "okey"; +} +--EXPECT-- +okey |