mirror of
https://github.com/php/php-src.git
synced 2025-08-15 13:38:49 +02:00
Merge branch 'PHP-8.4'
* PHP-8.4: Fix GH-17224: UAF in importNode
This commit is contained in:
Niels Dossche
commit
1fff0c05b7
2 changed files with 69 additions and 2 deletions
|
|
@ -783,14 +783,14 @@ PHP_METHOD(DOMDocument, importNode)
|
||||||
xmlNsPtr nsptr = NULL;
|
xmlNsPtr nsptr = NULL;
|
||||||
xmlNodePtr root = xmlDocGetRootElement(docp);
|
xmlNodePtr root = xmlDocGetRootElement(docp);
|
||||||
|
|
||||||
nsptr = xmlSearchNsByHref (nodep->doc, root, nodep->ns->href);
|
nsptr = xmlSearchNsByHref (docp, root, nodep->ns->href);
|
||||||
if (nsptr == NULL || nsptr->prefix == NULL) {
|
if (nsptr == NULL || nsptr->prefix == NULL) {
|
||||||
int errorcode;
|
int errorcode;
|
||||||
nsptr = dom_get_ns(root, (char *) nodep->ns->href, &errorcode, (char *) nodep->ns->prefix);
|
nsptr = dom_get_ns(root, (char *) nodep->ns->href, &errorcode, (char *) nodep->ns->prefix);
|
||||||
|
|
||||||
/* If there is no root, the namespace cannot be attached to it, so we have to attach it to the old list. */
|
/* If there is no root, the namespace cannot be attached to it, so we have to attach it to the old list. */
|
||||||
if (nsptr != NULL && root == NULL) {
|
if (nsptr != NULL && root == NULL) {
|
||||||
php_libxml_set_old_ns(nodep->doc, nsptr);
|
php_libxml_set_old_ns(docp, nsptr);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
retnodep->ns = nsptr;
|
retnodep->ns = nsptr;
|
||||||
|
|
|
||||||
67
ext/dom/tests/gh17224.phpt
Normal file
67
ext/dom/tests/gh17224.phpt
Normal file
|
|
@ -0,0 +1,67 @@
|
||||||
|
--TEST--
|
||||||
|
GH-17224 (UAF in importNode)
|
||||||
|
--EXTENSIONS--
|
||||||
|
dom
|
||||||
|
--CREDITS--
|
||||||
|
YuanchengJiang
|
||||||
|
--FILE--
|
||||||
|
<?php
|
||||||
|
$aDOM = new DOMDocument();
|
||||||
|
$fromdom = new DOMDocument();
|
||||||
|
$fromdom->loadXML('<data xmlns:ai="http://test.org" ai:attr="namespaced" />');
|
||||||
|
$attr = $fromdom->firstChild->attributes->item(0);
|
||||||
|
$att = $aDOM->importNode($attr);
|
||||||
|
$doc = new DOMDocument;
|
||||||
|
$fromdom->load(__DIR__."/book.xml");
|
||||||
|
unset($attr);
|
||||||
|
var_dump($att);
|
||||||
|
?>
|
||||||
|
--EXPECTF--
|
||||||
|
object(DOMAttr)#%d (%d) {
|
||||||
|
["specified"]=>
|
||||||
|
bool(true)
|
||||||
|
["schemaTypeInfo"]=>
|
||||||
|
NULL
|
||||||
|
["name"]=>
|
||||||
|
string(4) "attr"
|
||||||
|
["value"]=>
|
||||||
|
string(10) "namespaced"
|
||||||
|
["ownerElement"]=>
|
||||||
|
NULL
|
||||||
|
["nodeName"]=>
|
||||||
|
string(7) "ai:attr"
|
||||||
|
["nodeValue"]=>
|
||||||
|
string(10) "namespaced"
|
||||||
|
["nodeType"]=>
|
||||||
|
int(2)
|
||||||
|
["parentNode"]=>
|
||||||
|
NULL
|
||||||
|
["parentElement"]=>
|
||||||
|
NULL
|
||||||
|
["childNodes"]=>
|
||||||
|
string(22) "(object value omitted)"
|
||||||
|
["firstChild"]=>
|
||||||
|
string(22) "(object value omitted)"
|
||||||
|
["lastChild"]=>
|
||||||
|
string(22) "(object value omitted)"
|
||||||
|
["previousSibling"]=>
|
||||||
|
NULL
|
||||||
|
["nextSibling"]=>
|
||||||
|
NULL
|
||||||
|
["attributes"]=>
|
||||||
|
NULL
|
||||||
|
["isConnected"]=>
|
||||||
|
bool(false)
|
||||||
|
["ownerDocument"]=>
|
||||||
|
string(22) "(object value omitted)"
|
||||||
|
["namespaceURI"]=>
|
||||||
|
string(15) "http://test.org"
|
||||||
|
["prefix"]=>
|
||||||
|
string(2) "ai"
|
||||||
|
["localName"]=>
|
||||||
|
string(4) "attr"
|
||||||
|
["baseURI"]=>
|
||||||
|
NULL
|
||||||
|
["textContent"]=>
|
||||||
|
string(10) "namespaced"
|
||||||
|
}
|
||||||
Loading…
Add table
Add a link
Reference in a new issue