mirror of
https://github.com/php/php-src.git
synced 2025-08-15 21:48:51 +02:00
Fix GH-16777: Calling the constructor again on a DOM object after it is in a document causes UAF
Closes GH-16824.
This commit is contained in:
Niels Dossche
parent
2ba18590bf
commit
18b18f0ee0
4 changed files with 58 additions and 0 deletions
4
NEWS
4
NEWS
|
|
@ -15,6 +15,10 @@ PHP NEWS
|
|||
- Curl:
|
||||
. Fixed bug GH-16802 (open_basedir bypass using curl extension). (nielsdos)
|
||||
|
||||
- DOM:
|
||||
. Fixed bug GH-16777 (Calling the constructor again on a DOM object after it
|
||||
is in a document causes UAF). (nielsdos)
|
||||
|
||||
- FPM:
|
||||
. Fixed GH-16432 (PHP-FPM 8.2 SIGSEGV in fpm_get_status). (Jakub Zelenka)
|
||||
|
||||
|
|
|
|||
|
|
@ -1024,6 +1024,7 @@ PHP_METHOD(DOMNode, insertBefore)
|
|||
}
|
||||
|
||||
if (child->doc == NULL && parentp->doc != NULL) {
|
||||
xmlSetTreeDoc(child, parentp->doc);
|
||||
dom_set_document_ref_pointers(child, intern->document);
|
||||
}
|
||||
|
||||
|
|
@ -1188,6 +1189,7 @@ PHP_METHOD(DOMNode, replaceChild)
|
|||
}
|
||||
|
||||
if (newchild->doc == NULL && nodep->doc != NULL) {
|
||||
xmlSetTreeDoc(newchild, nodep->doc);
|
||||
dom_set_document_ref_pointers(newchild, intern->document);
|
||||
}
|
||||
|
||||
|
|
@ -1291,6 +1293,7 @@ PHP_METHOD(DOMNode, appendChild)
|
|||
}
|
||||
|
||||
if (child->doc == NULL && nodep->doc != NULL) {
|
||||
xmlSetTreeDoc(child, nodep->doc);
|
||||
dom_set_document_ref_pointers(child, intern->document);
|
||||
}
|
||||
|
||||
|
|
|
|||
24
ext/dom/tests/gh16777_1.phpt
Normal file
24
ext/dom/tests/gh16777_1.phpt
Normal file
|
|
@ -0,0 +1,24 @@
|
|||
--TEST--
|
||||
GH-16777 (Calling the constructor again on a DOM object after it is in a document causes UAF)
|
||||
--EXTENSIONS--
|
||||
dom
|
||||
--FILE--
|
||||
<?php
|
||||
$text = new DOMText('my value');
|
||||
$doc = new DOMDocument();
|
||||
$doc->appendChild($text);
|
||||
$text->__construct('my new value');
|
||||
$doc->appendChild($text);
|
||||
echo $doc->saveXML();
|
||||
$dom2 = new DOMDocument();
|
||||
try {
|
||||
$dom2->appendChild($text);
|
||||
} catch (DOMException $e) {
|
||||
echo $e->getMessage(), "\n";
|
||||
}
|
||||
?>
|
||||
--EXPECT--
|
||||
<?xml version="1.0"?>
|
||||
my value
|
||||
my new value
|
||||
Wrong Document Error
|
||||
27
ext/dom/tests/gh16777_2.phpt
Normal file
27
ext/dom/tests/gh16777_2.phpt
Normal file
|
|
@ -0,0 +1,27 @@
|
|||
--TEST--
|
||||
GH-16777 (Calling the constructor again on a DOM object after it is in a document causes UAF)
|
||||
--EXTENSIONS--
|
||||
dom
|
||||
--FILE--
|
||||
<?php
|
||||
$el = new DOMElement('name');
|
||||
$el->append($child = new DOMElement('child'));
|
||||
$doc = new DOMDocument();
|
||||
$doc->appendChild($el);
|
||||
$el->__construct('newname');
|
||||
$doc->appendChild($el);
|
||||
echo $doc->saveXML();
|
||||
$dom2 = new DOMDocument();
|
||||
try {
|
||||
$dom2->appendChild($el);
|
||||
} catch (DOMException $e) {
|
||||
echo $e->getMessage(), "\n";
|
||||
}
|
||||
var_dump($child->ownerDocument === $doc);
|
||||
?>
|
||||
--EXPECT--
|
||||
<?xml version="1.0"?>
|
||||
<name><child/></name>
|
||||
<newname/>
|
||||
Wrong Document Error
|
||||
bool(true)
|
||||
Loading…
Add table
Add a link
Reference in a new issue