archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-15 13:38:49 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Fix GHSA-453j-q27h-5p8x

Browse source 
Libxml versions prior to 2.13 cannot correctly handle a call to
xmlNodeSetName() with a name longer than 2G. It will leave the node
object in an invalid state with a NULL name. This later causes a NULL
pointer dereference when using the name during message serialization.

To solve this, implement a workaround that resets the name to the
sentinel name if this situation arises.

Versions of libxml of 2.13 and higher are not affected.

This can be exploited if a SoapVar is created with a fully qualified
name that is longer than 2G. This would be possible if some application
code uses a namespace prefix from an untrusted source like from a remote
SOAP service.

Co-authored-by: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
This commit is contained in:
Ahmed Lekssays 2025-06-03 09:00:55 +00:00 committed by Niels Dossche
parent 65eade719f
commit 026ab919d0
No known key found for this signature in database
GPG key ID: B8A8AD166DF0E2E5
2 changed files with 52 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

6
ext/soap/soap.c
View file

@ -3980,8 +3980,10 @@ static xmlNodePtr serialize_zval(zval *val, sdlParamPtr param, char *paramName,
}
xmlParam = master_to_xml(enc, val, style, parent);
zval_ptr_dtor(&defval);
if (!strcmp((char*)xmlParam->name, "BOGUS")) {
xmlNodeSetName(xmlParam, BAD_CAST(paramName));
if (xmlParam != NULL) {
if (xmlParam->name == NULL || strcmp((char*)xmlParam->name, "BOGUS") == 0) {
xmlNodeSetName(xmlParam, BAD_CAST(paramName));
}
}
return xmlParam;
}

48
ext/soap/tests/soap_qname_crash.phpt Normal file
View file

@ -0,0 +1,48 @@
--TEST--
Test SoapClient with excessively large QName prefix in SoapVar
--EXTENSIONS--
soap
--SKIPIF--
<?php
if (PHP_INT_SIZE != 8) die("skip: 64-bit only");
?>
--INI--
memory_limit=6144M
--FILE--
<?php
class TestSoapClient extends SoapClient {
public function __doRequest(
$request,
$location,
$action,
$version,
$one_way = false,
): ?string {
die($request);
}
}
$prefix = str_repeat("A", 2 * 1024 * 1024 * 1024);
$qname = "{$prefix}:tag";
echo "Attempting to create SoapVar with very large QName\n";
$var = new SoapVar("value", XSD_QNAME, null, null, $qname);
echo "Attempting encoding\n";
$options = [
'location' => 'http://127.0.0.1/',
'uri' => 'urn:dummy',
'trace' => 1,
'exceptions' => true,
];
$client = new TestSoapClient(null, $options);
$client->__soapCall("DummyFunction", [$var]);
?>
--EXPECT--
Attempting to create SoapVar with very large QName
Attempting encoding
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="urn:dummy" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><ns1:DummyFunction><param0 xsi:type="xsd:QName">value</param0></ns1:DummyFunction></SOAP-ENV:Body></SOAP-ENV:Envelope>