mirror of
https://github.com/php/php-src.git
synced 2025-08-15 21:48:51 +02:00
Merge branch 'PHP-8.4'
* PHP-8.4: Fix GH-17224: UAF in importNode
This commit is contained in:
Niels Dossche
commit
1fff0c05b7
2 changed files with 69 additions and 2 deletions
|
|
@ -783,14 +783,14 @@ PHP_METHOD(DOMDocument, importNode)
|
|||
xmlNsPtr nsptr = NULL;
|
||||
xmlNodePtr root = xmlDocGetRootElement(docp);
|
||||
|
||||
nsptr = xmlSearchNsByHref (nodep->doc, root, nodep->ns->href);
|
||||
nsptr = xmlSearchNsByHref (docp, root, nodep->ns->href);
|
||||
if (nsptr == NULL || nsptr->prefix == NULL) {
|
||||
int errorcode;
|
||||
nsptr = dom_get_ns(root, (char *) nodep->ns->href, &errorcode, (char *) nodep->ns->prefix);
|
||||
|
||||
/* If there is no root, the namespace cannot be attached to it, so we have to attach it to the old list. */
|
||||
if (nsptr != NULL && root == NULL) {
|
||||
php_libxml_set_old_ns(nodep->doc, nsptr);
|
||||
php_libxml_set_old_ns(docp, nsptr);
|
||||
}
|
||||
}
|
||||
retnodep->ns = nsptr;
|
||||
|
|
|
|||
67
ext/dom/tests/gh17224.phpt
Normal file
67
ext/dom/tests/gh17224.phpt
Normal file
|
|
@ -0,0 +1,67 @@
|
|||
--TEST--
|
||||
GH-17224 (UAF in importNode)
|
||||
--EXTENSIONS--
|
||||
dom
|
||||
--CREDITS--
|
||||
YuanchengJiang
|
||||
--FILE--
|
||||
<?php
|
||||
$aDOM = new DOMDocument();
|
||||
$fromdom = new DOMDocument();
|
||||
$fromdom->loadXML('<data xmlns:ai="http://test.org" ai:attr="namespaced" />');
|
||||
$attr = $fromdom->firstChild->attributes->item(0);
|
||||
$att = $aDOM->importNode($attr);
|
||||
$doc = new DOMDocument;
|
||||
$fromdom->load(__DIR__."/book.xml");
|
||||
unset($attr);
|
||||
var_dump($att);
|
||||
?>
|
||||
--EXPECTF--
|
||||
object(DOMAttr)#%d (%d) {
|
||||
["specified"]=>
|
||||
bool(true)
|
||||
["schemaTypeInfo"]=>
|
||||
NULL
|
||||
["name"]=>
|
||||
string(4) "attr"
|
||||
["value"]=>
|
||||
string(10) "namespaced"
|
||||
["ownerElement"]=>
|
||||
NULL
|
||||
["nodeName"]=>
|
||||
string(7) "ai:attr"
|
||||
["nodeValue"]=>
|
||||
string(10) "namespaced"
|
||||
["nodeType"]=>
|
||||
int(2)
|
||||
["parentNode"]=>
|
||||
NULL
|
||||
["parentElement"]=>
|
||||
NULL
|
||||
["childNodes"]=>
|
||||
string(22) "(object value omitted)"
|
||||
["firstChild"]=>
|
||||
string(22) "(object value omitted)"
|
||||
["lastChild"]=>
|
||||
string(22) "(object value omitted)"
|
||||
["previousSibling"]=>
|
||||
NULL
|
||||
["nextSibling"]=>
|
||||
NULL
|
||||
["attributes"]=>
|
||||
NULL
|
||||
["isConnected"]=>
|
||||
bool(false)
|
||||
["ownerDocument"]=>
|
||||
string(22) "(object value omitted)"
|
||||
["namespaceURI"]=>
|
||||
string(15) "http://test.org"
|
||||
["prefix"]=>
|
||||
string(2) "ai"
|
||||
["localName"]=>
|
||||
string(4) "attr"
|
||||
["baseURI"]=>
|
||||
NULL
|
||||
["textContent"]=>
|
||||
string(10) "namespaced"
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue