FAQ
Commit: 997b7e56302710bb3db00b56d0629ac75d73a207
Author: Xinchen Hui <laruence@php.net> Fri, 27 Feb 2015 23:32:32 +0800
Parents: 4eb830b212b3f0c53ed208723520e77a26b13e2b
Branches: PHP-5.5 PHP-5.6

Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=997b7e56302710bb3db00b56d0629ac75d73a207

Log:
Fixed bug #69085 (SoapClient's __call() type confusion through unserialize()).

Bugs:
https://bugs.php.net/69085

Changed paths:
   M NEWS
   M ext/soap/soap.c
   A ext/soap/tests/bugs/bug69085.phpt


Diff:
diff --git a/NEWS b/NEWS
index 0169572..486f949 100644
--- a/NEWS
+++ b/NEWS
@@ -38,6 +38,10 @@ PHP NEWS
    . Fixed bug #69054 (Null dereference in readline_(read|write)_history() without
      parameters). (Laruence)

+- SOAP:
+ . Fixed bug #69085 (SoapClient's __call() type confusion through
+ unserialize()). (andrea dot palazzo at truel dot it, Laruence)
+
  - SPL:
    . Fixed bug #69108 ("Segmentation fault" when (de)serializing
      SplObjectStorage). (Laruence)
diff --git a/ext/soap/soap.c b/ext/soap/soap.c
index daf977e..ffa4007 100644
--- a/ext/soap/soap.c
+++ b/ext/soap/soap.c
@@ -2564,7 +2564,7 @@ static int do_request(zval *this_ptr, xmlDoc *request, char *location, char *act
   }

   if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS &&
- Z_LVAL_PP(trace) > 0) {
+ Z_TYPE_PP(trace) == IS_LONG && Z_LVAL_PP(trace) > 0) {
    add_property_stringl(this_ptr, "__last_request", buf, buf_size, 1);
   }

@@ -2599,7 +2599,7 @@ static int do_request(zval *this_ptr, xmlDoc *request, char *location, char *act
    }
    ret = FALSE;
   } else if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS &&
- Z_LVAL_PP(trace) > 0) {
+ Z_TYPE_PP(trace) == IS_LONG && Z_LVAL_PP(trace) > 0) {
    add_property_stringl(this_ptr, "__last_response", Z_STRVAL_P(response), Z_STRLEN_P(response), 1);
   }
   zval_ptr_dtor(&params[4]);
@@ -2904,7 +2904,7 @@ PHP_METHOD(SoapClient, __call)
   }

   /* Add default headers */
- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__default_headers", sizeof("__default_headers"), (void **) &tmp)==SUCCESS) {
+ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__default_headers", sizeof("__default_headers"), (void **) &tmp) == SUCCESS && Z_TYPE_PP(tmp) == IS_ARRAY) {
    HashTable *default_headers = Z_ARRVAL_P(*tmp);
    if (soap_headers) {
     if (!free_soap_headers) {
diff --git a/ext/soap/tests/bugs/bug69085.phpt b/ext/soap/tests/bugs/bug69085.phpt
new file mode 100644
index 0000000..cb27cfd
--- /dev/null
+++ b/ext/soap/tests/bugs/bug69085.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Bug #69085 (SoapClient's __call() type confusion through unserialize())
+--SKIPIF--
+<?php require_once('skipif.inc'); ?>
+--INI--
+soap.wsdl_cache_enabled=0
+--FILE--
+<?php
+
+$dummy = unserialize('O:10:"SoapClient":5:{s:3:"uri";s:1:"a";s:8:"location";s:22:"http://localhost/a.xml";s:17:"__default_headers";i:1337;s:15:"__last_response";s:1:"a";s:5:"trace";s:1:"x";}');
+try {
+ $dummy->whatever();
+} catch (Exception $e) {
+ echo "okey";
+}
+--EXPECT--
+okey

Search Discussions

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupphp-cvs @
categoriesphp
postedFeb 27, '15 at 3:35p
activeFeb 27, '15 at 3:35p
posts1
users1
websitephp.net

1 user in discussion

Xinchen Hui: 1 post

People

Translate

site design / logo © 2018 Grokbase