Single patch merged from From 997b7e56302710bb3db00b56d0629ac75d73a207 Mon Sep 17 00:00:00 2001 From: Xinchen Hui Date: Fri, 27 Feb 2015 23:32:32 +0800 Subject: [PATCH] Fixed bug #69085 (SoapClient's __call() type confusion through unserialize()). From 0c136a2abd49298b66acb0cad504f0f972f5bfe8 Mon Sep 17 00:00:00 2001 From: Dmitry Stogov Date: Tue, 3 Mar 2015 09:44:46 +0300 Subject: [PATCH] Added type checks From c8eaca013a3922e8383def6158ece2b63f6ec483 Mon Sep 17 00:00:00 2001 From: Dmitry Stogov Date: Tue, 3 Mar 2015 10:43:48 +0300 Subject: [PATCH] Added type checks From 76c1ec5e96640e3076c105bde2cccfceb7557690 Mon Sep 17 00:00:00 2001 From: Xinchen Hui Date: Wed, 25 Mar 2015 12:07:25 +0800 Subject: [PATCH] Bug #69293 NEW segfault when using SoapClient::__setSoapHeader (bisected, regression) From c61ceef7796b3967dd5e270245d33ba72ba055ee Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Mon, 13 Apr 2015 14:39:11 +0200 Subject: [PATCH] fix type in fix for #69085 diff -ru /dev/shm/rcollet/BUILD/php-5.5.21/ext/soap/php_encoding.c /home/rcollet/sources/php-src/ext/soap/php_encoding.c --- a/ext/soap/php_encoding.c 2015-01-21 11:23:27.000000000 +0100 +++ b/ext/soap/php_encoding.c 2015-04-14 13:37:46.108290466 +0200 @@ -404,12 +404,15 @@ encodePtr enc = NULL; HashTable *ht = Z_OBJPROP_P(data); - if (zend_hash_find(ht, "enc_type", sizeof("enc_type"), (void **)&ztype) == FAILURE) { + if (zend_hash_find(ht, "enc_type", sizeof("enc_type"), (void **)&ztype) == FAILURE || + Z_TYPE_PP(ztype) != IS_LONG) { soap_error0(E_ERROR, "Encoding: SoapVar has no 'enc_type' property"); } - if (zend_hash_find(ht, "enc_stype", sizeof("enc_stype"), (void **)&zstype) == SUCCESS) { - if (zend_hash_find(ht, "enc_ns", sizeof("enc_ns"), (void **)&zns) == SUCCESS) { + if (zend_hash_find(ht, "enc_stype", sizeof("enc_stype"), (void **)&zstype) == SUCCESS && + Z_TYPE_PP(zstype) == IS_STRING) { + if (zend_hash_find(ht, "enc_ns", sizeof("enc_ns"), (void **)&zns) == SUCCESS && + Z_TYPE_PP(zns) == IS_STRING) { enc = get_encoder(SOAP_GLOBAL(sdl), Z_STRVAL_PP(zns), Z_STRVAL_PP(zstype)); } else { zns = NULL; @@ -445,8 +448,10 @@ } if (style == SOAP_ENCODED || (SOAP_GLOBAL(sdl) && encode != enc)) { - if (zend_hash_find(ht, "enc_stype", sizeof("enc_stype"), (void **)&zstype) == SUCCESS) { - if (zend_hash_find(ht, "enc_ns", sizeof("enc_ns"), (void **)&zns) == SUCCESS) { + if (zend_hash_find(ht, "enc_stype", sizeof("enc_stype"), (void **)&zstype) == SUCCESS && + Z_TYPE_PP(zstype) == IS_STRING) { + if (zend_hash_find(ht, "enc_ns", sizeof("enc_ns"), (void **)&zns) == SUCCESS && + Z_TYPE_PP(zns) == IS_STRING) { set_ns_and_type_ex(node, Z_STRVAL_PP(zns), Z_STRVAL_PP(zstype)); } else { set_ns_and_type_ex(node, NULL, Z_STRVAL_PP(zstype)); @@ -454,10 +459,12 @@ } } - if (zend_hash_find(ht, "enc_name", sizeof("enc_name"), (void **)&zname) == SUCCESS) { + if (zend_hash_find(ht, "enc_name", sizeof("enc_name"), (void **)&zname) == SUCCESS && + Z_TYPE_PP(zname) == IS_STRING) { xmlNodeSetName(node, BAD_CAST(Z_STRVAL_PP(zname))); } - if (zend_hash_find(ht, "enc_namens", sizeof("enc_namens"), (void **)&znamens) == SUCCESS) { + if (zend_hash_find(ht, "enc_namens", sizeof("enc_namens"), (void **)&znamens) == SUCCESS && + Z_TYPE_PP(znamens) == IS_STRING) { xmlNsPtr nsp = encode_add_ns(node, Z_STRVAL_PP(znamens)); xmlSetNs(node, nsp); } @@ -3640,18 +3647,21 @@ Z_OBJCE_PP(tmp) == soap_var_class_entry) { zval **ztype; - if (zend_hash_find(Z_OBJPROP_PP(tmp), "enc_type", sizeof("enc_type"), (void **)&ztype) == FAILURE) { + if (zend_hash_find(Z_OBJPROP_PP(tmp), "enc_type", sizeof("enc_type"), (void **)&ztype) == FAILURE || + Z_TYPE_PP(ztype) != IS_LONG) { soap_error0(E_ERROR, "Encoding: SoapVar has no 'enc_type' property"); } cur_type = Z_LVAL_PP(ztype); - if (zend_hash_find(Z_OBJPROP_PP(tmp), "enc_stype", sizeof("enc_stype"), (void **)&ztype) == SUCCESS) { + if (zend_hash_find(Z_OBJPROP_PP(tmp), "enc_stype", sizeof("enc_stype"), (void **)&ztype) == SUCCESS && + Z_TYPE_PP(ztype) == IS_STRING) { cur_stype = Z_STRVAL_PP(ztype); } else { cur_stype = NULL; } - if (zend_hash_find(Z_OBJPROP_PP(tmp), "enc_ns", sizeof("enc_ns"), (void **)&ztype) == SUCCESS) { + if (zend_hash_find(Z_OBJPROP_PP(tmp), "enc_ns", sizeof("enc_ns"), (void **)&ztype) == SUCCESS && + Z_TYPE_PP(ztype) == IS_STRING) { cur_ns = Z_STRVAL_PP(ztype); } else { cur_ns = NULL; diff -ru /dev/shm/rcollet/BUILD/php-5.5.21/ext/soap/php_http.c /home/rcollet/sources/php-src/ext/soap/php_http.c --- a/ext/soap/php_http.c 2015-01-21 11:23:27.000000000 +0100 +++ b/ext/soap/php_http.c 2015-04-14 13:37:46.109290475 +0200 @@ -36,14 +36,16 @@ { zval **login, **password; - if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_proxy_login", sizeof("_proxy_login"), (void **)&login) == SUCCESS) { + if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_proxy_login", sizeof("_proxy_login"), (void **)&login) == SUCCESS && + Z_TYPE_PP(login) == IS_STRING) { unsigned char* buf; int len; smart_str auth = {0}; smart_str_appendl(&auth, Z_STRVAL_PP(login), Z_STRLEN_PP(login)); smart_str_appendc(&auth, ':'); - if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_proxy_password", sizeof("_proxy_password"), (void **)&password) == SUCCESS) { + if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_proxy_password", sizeof("_proxy_password"), (void **)&password) == SUCCESS && + Z_TYPE_PP(password) == IS_STRING) { smart_str_appendl(&auth, Z_STRVAL_PP(password), Z_STRLEN_PP(password)); } smart_str_0(&auth); @@ -64,14 +66,16 @@ zval **login, **password; if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_login", sizeof("_login"), (void **)&login) == SUCCESS && - !zend_hash_exists(Z_OBJPROP_P(this_ptr), "_digest", sizeof("_digest"))) { + Z_TYPE_PP(login) == IS_STRING && + !zend_hash_exists(Z_OBJPROP_P(this_ptr), "_digest", sizeof("_digest"))) { unsigned char* buf; int len; smart_str auth = {0}; smart_str_appendl(&auth, Z_STRVAL_PP(login), Z_STRLEN_PP(login)); smart_str_appendc(&auth, ':'); - if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_password", sizeof("_password"), (void **)&password) == SUCCESS) { + if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_password", sizeof("_password"), (void **)&password) == SUCCESS && + Z_TYPE_PP(password) == IS_STRING) { smart_str_appendl(&auth, Z_STRVAL_PP(password), Z_STRLEN_PP(password)); } smart_str_0(&auth); @@ -571,6 +575,7 @@ } if (!http_1_1 || (zend_hash_find(Z_OBJPROP_P(this_ptr), "_keep_alive", sizeof("_keep_alive"), (void **)&tmp) == SUCCESS && + (Z_TYPE_PP(tmp) == IS_BOOL || Z_TYPE_PP(tmp) == IS_LONG) && Z_LVAL_PP(tmp) == 0)) { smart_str_append_const(&soap_headers, "\r\n" "Connection: close\r\n"); @@ -804,7 +809,8 @@ } /* Send cookies along with request */ - if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == SUCCESS) { + if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == SUCCESS && + Z_TYPE_PP(cookies) == IS_ARRAY) { zval **data; char *key; int i, n; @@ -847,7 +853,7 @@ smart_str_append_const(&soap_headers, "\r\n"); smart_str_0(&soap_headers); if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS && - Z_LVAL_PP(trace) > 0) { + (Z_TYPE_PP(trace) == IS_BOOL || Z_TYPE_PP(trace) == IS_LONG) && Z_LVAL_PP(trace) != 0) { add_property_stringl(this_ptr, "__last_request_headers", soap_headers.c, soap_headers.len, 1); } smart_str_appendl(&soap_headers, request, request_size); @@ -892,7 +898,7 @@ } if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS && - Z_LVAL_PP(trace) > 0) { + (Z_TYPE_PP(trace) == IS_BOOL || Z_TYPE_PP(trace) == IS_LONG) && Z_LVAL_PP(trace) != 0) { add_property_stringl(this_ptr, "__last_response_headers", http_headers, http_header_size, 1); } @@ -941,7 +947,8 @@ char *eqpos, *sempos; zval **cookies; - if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == FAILURE) { + if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == FAILURE || + Z_TYPE_PP(cookies) != IS_ARRAY) { zval *tmp_cookies; MAKE_STD_ZVAL(tmp_cookies); array_init(tmp_cookies); diff -ru /dev/shm/rcollet/BUILD/php-5.5.21/ext/soap/soap.c /home/rcollet/sources/php-src/ext/soap/soap.c --- a/ext/ext/soap/soap.c 2015-01-21 11:23:27.000000000 +0100 +++ b/ext/soap/soap.c 2015-04-14 13:37:46.111290492 +0200 @@ -930,6 +930,12 @@ zend_call_function(&fci, NULL TSRMLS_CC); + convert_to_string(faultcode); + convert_to_string(faultstring); + convert_to_string(file); + convert_to_long(line); + convert_to_string(trace); + len = spprintf(&str, 0, "SoapFault exception: [%s] %s in %s:%ld\nStack trace:\n%s", Z_STRVAL_P(faultcode), Z_STRVAL_P(faultstring), Z_STRVAL_P(file), Z_LVAL_P(line), Z_STRLEN_P(trace) ? Z_STRVAL_P(trace) : "#0 {main}\n"); @@ -2071,8 +2077,7 @@ xmlDocDumpMemory(doc_return, &buf, &size); - zend_is_auto_global("_SERVER", sizeof("_SERVER") - 1 TSRMLS_CC); - if (PG(http_globals)[TRACK_VARS_SERVER] && + if ((PG(http_globals)[TRACK_VARS_SERVER] || zend_is_auto_global("_SERVER", sizeof("_SERVER") - 1 TSRMLS_CC)) && zend_hash_find(PG(http_globals)[TRACK_VARS_SERVER]->value.ht, "HTTP_USER_AGENT", sizeof("HTTP_USER_AGENT"), (void **) &agent_name) == SUCCESS && Z_TYPE_PP(agent_name) == IS_STRING) { if (strncmp(Z_STRVAL_PP(agent_name), "Shockwave Flash", sizeof("Shockwave Flash")-1) == 0) { @@ -2565,7 +2570,7 @@ } if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS && - Z_LVAL_PP(trace) > 0) { + (Z_TYPE_PP(trace) == IS_BOOL || Z_TYPE_PP(trace) == IS_LONG) && Z_LVAL_PP(trace) != 0) { add_property_stringl(this_ptr, "__last_request", buf, buf_size, 1); } @@ -2600,7 +2605,7 @@ } ret = FALSE; } else if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS && - Z_LVAL_PP(trace) > 0) { + (Z_TYPE_PP(trace) == IS_BOOL || Z_TYPE_PP(trace) == IS_LONG) && Z_LVAL_PP(trace) != 0) { add_property_stringl(this_ptr, "__last_response", Z_STRVAL_P(response), Z_STRLEN_P(response), 1); } zval_ptr_dtor(¶ms[4]); @@ -2644,13 +2649,13 @@ SOAP_CLIENT_BEGIN_CODE(); - if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS - && Z_LVAL_PP(trace) > 0) { + if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS && + (Z_TYPE_PP(trace) == IS_BOOL || Z_TYPE_PP(trace) == IS_LONG) && Z_LVAL_PP(trace) != 0) { zend_hash_del(Z_OBJPROP_P(this_ptr), "__last_request", sizeof("__last_request")); zend_hash_del(Z_OBJPROP_P(this_ptr), "__last_response", sizeof("__last_response")); } - if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_soap_version", sizeof("_soap_version"), (void **) &tmp) == SUCCESS - && Z_LVAL_PP(tmp) == SOAP_1_2) { + if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_soap_version", sizeof("_soap_version"), (void **) &tmp) == SUCCESS && + Z_TYPE_PP(tmp) == IS_LONG && Z_LVAL_PP(tmp) == SOAP_1_2) { soap_version = SOAP_1_2; } else { soap_version = SOAP_1_1; @@ -2747,7 +2752,7 @@ zval **uri; smart_str action = {0}; - if (zend_hash_find(Z_OBJPROP_P(this_ptr), "uri", sizeof("uri"), (void *)&uri) == FAILURE) { + if (zend_hash_find(Z_OBJPROP_P(this_ptr), "uri", sizeof("uri"), (void *)&uri) == FAILURE || Z_TYPE_PP(uri) != IS_STRING) { add_soap_fault(this_ptr, "Client", "Error finding \"uri\" property", NULL, NULL TSRMLS_CC); } else if (location == NULL) { add_soap_fault(this_ptr, "Client", "Error could not find \"location\" property", NULL, NULL TSRMLS_CC); @@ -2905,7 +2910,7 @@ } /* Add default headers */ - if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__default_headers", sizeof("__default_headers"), (void **) &tmp)==SUCCESS) { + if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__default_headers", sizeof("__default_headers"), (void **) &tmp) == SUCCESS && Z_TYPE_PP(tmp) == IS_ARRAY) { HashTable *default_headers = Z_ARRVAL_P(*tmp); if (soap_headers) { if (!free_soap_headers) { @@ -3026,7 +3031,8 @@ return; } - if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_request", sizeof("__last_request"), (void **)&tmp) == SUCCESS) { + if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_request", sizeof("__last_request"), (void **)&tmp) == SUCCESS && + Z_TYPE_PP(tmp) == IS_STRING) { RETURN_STRINGL(Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), 1); } RETURN_NULL(); @@ -3044,7 +3050,8 @@ return; } - if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_response", sizeof("__last_response"), (void **)&tmp) == SUCCESS) { + if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_response", sizeof("__last_response"), (void **)&tmp) == SUCCESS && + Z_TYPE_PP(tmp) == IS_STRING) { RETURN_STRINGL(Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), 1); } RETURN_NULL(); @@ -3062,7 +3069,8 @@ return; } - if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_request_headers", sizeof("__last_request_headers"), (void **)&tmp) == SUCCESS) { + if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_request_headers", sizeof("__last_request_headers"), (void **)&tmp) == SUCCESS && + Z_TYPE_PP(tmp) == IS_STRING) { RETURN_STRINGL(Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), 1); } RETURN_NULL(); @@ -3080,7 +3088,8 @@ return; } - if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_response_headers", sizeof("__last_response_headers"), (void **)&tmp) == SUCCESS) { + if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_response_headers", sizeof("__last_response_headers"), (void **)&tmp) == SUCCESS && + Z_TYPE_PP(tmp) == IS_STRING) { RETURN_STRINGL(Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), 1); } RETURN_NULL(); @@ -3136,13 +3145,15 @@ } if (val == NULL) { - if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == SUCCESS) { + if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == SUCCESS && + Z_TYPE_PP(cookies) == IS_ARRAY) { zend_hash_del(Z_ARRVAL_PP(cookies), name, name_len+1); } } else { zval *zcookie; - if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == FAILURE) { + if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == FAILURE || + Z_TYPE_PP(cookies) != IS_ARRAY) { zval *tmp_cookies; MAKE_STD_ZVAL(tmp_cookies); @@ -3170,7 +3181,8 @@ array_init(return_value); - if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) != FAILURE) { + if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) != FAILURE && + Z_TYPE_PP(cookies) == IS_ARRAY) { zend_hash_copy(Z_ARRVAL_P(return_value), Z_ARRVAL_P(*cookies), (copy_ctor_func_t) zval_add_ref, (void *)&tmp, sizeof(zval*)); } } @@ -3992,7 +4004,8 @@ } if (version == SOAP_1_1) { - if (zend_hash_find(prop, "faultcode", sizeof("faultcode"), (void**)&tmp) == SUCCESS) { + if (zend_hash_find(prop, "faultcode", sizeof("faultcode"), (void**)&tmp) == SUCCESS && + Z_TYPE_PP(tmp) == IS_STRING) { size_t new_len; xmlNodePtr node = xmlNewNode(NULL, BAD_CAST("faultcode")); char *str = php_escape_html_entities((unsigned char*)Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), &new_len, 0, 0, NULL TSRMLS_CC); @@ -4017,7 +4030,8 @@ } detail_name = "detail"; } else { - if (zend_hash_find(prop, "faultcode", sizeof("faultcode"), (void**)&tmp) == SUCCESS) { + if (zend_hash_find(prop, "faultcode", sizeof("faultcode"), (void**)&tmp) == SUCCESS && + Z_TYPE_PP(tmp) == IS_STRING) { size_t new_len; xmlNodePtr node = xmlNewChild(param, ns, BAD_CAST("Code"), NULL); char *str = php_escape_html_entities((unsigned char*)Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), &new_len, 0, 0, NULL TSRMLS_CC); @@ -4257,7 +4271,8 @@ } } } else { - if (zend_hash_find(Z_OBJPROP_P(this_ptr), "style", sizeof("style"), (void **)&zstyle) == SUCCESS) { + if (zend_hash_find(Z_OBJPROP_P(this_ptr), "style", sizeof("style"), (void **)&zstyle) == SUCCESS && + Z_TYPE_PP(zstyle) == IS_LONG) { style = Z_LVAL_PP(zstyle); } else { style = SOAP_RPC; @@ -4280,7 +4295,7 @@ } if (zend_hash_find(Z_OBJPROP_P(this_ptr), "use", sizeof("use"), (void **)&zuse) == SUCCESS && - Z_LVAL_PP(zuse) == SOAP_LITERAL) { + Z_TYPE_PP(zuse) == IS_LONG && Z_LVAL_PP(zuse) == SOAP_LITERAL) { use = SOAP_LITERAL; } else { use = SOAP_ENCODED; @@ -4410,6 +4425,7 @@ zval **param_data; if (zend_hash_find(Z_OBJPROP_P(param_val), "param_name", sizeof("param_name"), (void **)¶m_name) == SUCCESS && + Z_TYPE_PP(param_name) == IS_STRING && zend_hash_find(Z_OBJPROP_P(param_val), "param_data", sizeof("param_data"), (void **)¶m_data) == SUCCESS) { param_val = *param_data; name = Z_STRVAL_PP(param_name); diff --git a/ext/soap/tests/bugs/bug69085.phpt b/ext/soap/tests/bugs/bug69085.phpt new file mode 100644 index 0000000..cb27cfd --- /dev/null +++ b/ext/soap/tests/bugs/bug69085.phpt @@ -0,0 +1,17 @@ +--TEST-- +Bug #69085 (SoapClient's __call() type confusion through unserialize()) +--SKIPIF-- + +--INI-- +soap.wsdl_cache_enabled=0 +--FILE-- +whatever(); +} catch (Exception $e) { + echo "okey"; +} +--EXPECT-- +okey