diff options
author | Stanislav Malyshev <stas@php.net> | 2015-09-01 12:40:10 -0700 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2015-09-02 00:37:20 -0700 |
commit | 9b1a224d4e994219a6ef1d1d8fdcc1b0598ba3ab (patch) | |
tree | 491094c4c38e550cce8f1bc157b6e526e260b976 /ext/soap | |
parent | 50d6fd6a032aad352d0daa52540698131813a4ec (diff) | |
parent | 3fe509443ccaebd5626f18490f36f088cde16d3f (diff) | |
download | php-git-9b1a224d4e994219a6ef1d1d8fdcc1b0598ba3ab.tar.gz |
Merge branch 'PHP-5.6'
* PHP-5.6: (21 commits)
fix unit tests
update NEWS
add NEWS for fixes
Improve fix for #70172
Fix bug #70312 - HAVAL gives wrong hashes in specific cases
fix test
add test
Fix bug #70366 - use-after-free vulnerability in unserialize() with SplDoublyLinkedList
Fix bug #70365 - use-after-free vulnerability in unserialize() with SplObjectStorage
Fix bug #70172 - Use After Free Vulnerability in unserialize()
Fix bug #70388 - SOAP serialize_function_call() type confusion
Fixed bug #70350: ZipArchive::extractTo allows for directory traversal when creating directories
Improve fix for #70385
Fix bug #70345 (Multiple vulnerabilities related to PCRE functions)
Fix bug #70385 (Buffer over-read in exif_read_data with TIFF IFD tag byte value of 32 bytes)
Fix bug #70219 (Use after free vulnerability in session deserializer)
Fix bug ##70284 (Use after free vulnerability in unserialize() with GMP)
Fix for bug #69782
Add CVE IDs asigned (post release) to PHP 5.4.43
Add CVE IDs asigned to #69085 (PHP 5.4.39)
...
Conflicts:
ext/exif/exif.c
ext/gmp/gmp.c
ext/pcre/php_pcre.c
ext/session/session.c
ext/session/tests/session_decode_variation3.phpt
ext/soap/soap.c
ext/spl/spl_observer.c
ext/standard/var.c
ext/standard/var_unserializer.c
ext/standard/var_unserializer.re
ext/xsl/xsltprocessor.c
Diffstat (limited to 'ext/soap')
-rw-r--r-- | ext/soap/soap.c | 15 | ||||
-rw-r--r-- | ext/soap/tests/bug70388.phpt | 17 |
2 files changed, 28 insertions, 4 deletions
diff --git a/ext/soap/soap.c b/ext/soap/soap.c index 3c4a86c01e..d2b1d30ddf 100644 --- a/ext/soap/soap.c +++ b/ext/soap/soap.c @@ -1505,7 +1505,7 @@ static void _soap_server_exception(soapServicePtr service, sdlFunctionPtr functi add_soap_fault_ex(&exception_object, this_ptr, "Server", "Internal Error", NULL, NULL); } soap_server_fault_ex(function, &exception_object, NULL); - } + } } /* }}} */ @@ -2924,8 +2924,10 @@ PHP_METHOD(SoapClient, __call) free_soap_headers = 1; } ZEND_HASH_FOREACH_VAL(default_headers, tmp) { - Z_ADDREF_P(tmp); - zend_hash_next_index_insert(soap_headers, tmp); + if(Z_TYPE_P(tmp) == IS_OBJECT) { + Z_ADDREF_P(tmp); + zend_hash_next_index_insert(soap_headers, tmp); + } } ZEND_HASH_FOREACH_END(); } else { soap_headers = Z_ARRVAL_P(tmp); @@ -4332,9 +4334,14 @@ static xmlDocPtr serialize_function_call(zval *this_ptr, sdlFunctionPtr function zval* header; ZEND_HASH_FOREACH_VAL(soap_headers, header) { - HashTable *ht = Z_OBJPROP_P(header); + HashTable *ht; zval *name, *ns, *tmp; + if (Z_TYPE_P(header) != IS_OBJECT) { + continue; + } + + ht = Z_OBJPROP_P(header); if ((name = zend_hash_str_find(ht, "name", sizeof("name")-1)) != NULL && Z_TYPE_P(name) == IS_STRING && (ns = zend_hash_str_find(ht, "namespace", sizeof("namespace")-1)) != NULL && diff --git a/ext/soap/tests/bug70388.phpt b/ext/soap/tests/bug70388.phpt new file mode 100644 index 0000000000..49a8efc0ff --- /dev/null +++ b/ext/soap/tests/bug70388.phpt @@ -0,0 +1,17 @@ +--TEST-- +Bug #70388 (SOAP serialize_function_call() type confusion / RCE) +--SKIPIF-- +<?php require_once('skipif.inc'); ?> +--FILE-- +<?php +$dummy = unserialize('O:10:"SoapClient":3:{s:3:"uri";s:1:"X";s:8:"location";s:22:"http://localhost/a.xml";s:17:"__default_headers";a:1:{i:1;s:1337:"'.str_repeat("X", 1337).'";}}'); +try { + var_dump($dummy->notexisting()); +} catch(Exception $e) { + var_dump($e->getMessage()); + var_dump(get_class($e)); +} +?> +--EXPECTF-- +string(%d) "%s" +string(9) "SoapFault"
\ No newline at end of file |