1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
|
From 15064460d6682766f91c1a841d27cdfbc38907e8 Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Sun, 3 May 2026 19:56:53 +0200
Subject: [PATCH 01/10] GHSA-85c2-q967-79q5: [soap] Fix stale
SOAP_GLOBAL(ref_map) pointer with Apache Map
Fixes GHSA-85c2-q967-79q5
Fixes CVE-2026-6722
(cherry picked from commit aee3b3ac9b816b0def1c462695b483b49a83148e)
---
ext/soap/php_encoding.c | 3 +-
ext/soap/tests/GHSA-85c2-q967-79q5.phpt | 61 +++++++++++++++++++++++++
2 files changed, 63 insertions(+), 1 deletion(-)
create mode 100644 ext/soap/tests/GHSA-85c2-q967-79q5.phpt
diff --git a/ext/soap/php_encoding.c b/ext/soap/php_encoding.c
index 4d389a8c585..bf394f7ea92 100644
--- a/ext/soap/php_encoding.c
+++ b/ext/soap/php_encoding.c
@@ -365,6 +365,7 @@ static bool soap_check_xml_ref(zval *data, xmlNodePtr node)
static void soap_add_xml_ref(zval *data, xmlNodePtr node)
{
if (SOAP_GLOBAL(ref_map)) {
+ Z_TRY_ADDREF_P(data);
zend_hash_index_update(SOAP_GLOBAL(ref_map), (zend_ulong)node, data);
}
}
@@ -3437,7 +3438,7 @@ void encode_reset_ns()
} else {
SOAP_GLOBAL(ref_map) = emalloc(sizeof(HashTable));
}
- zend_hash_init(SOAP_GLOBAL(ref_map), 0, NULL, NULL, 0);
+ zend_hash_init(SOAP_GLOBAL(ref_map), 0, NULL, ZVAL_PTR_DTOR, 0);
}
void encode_finish()
diff --git a/ext/soap/tests/GHSA-85c2-q967-79q5.phpt b/ext/soap/tests/GHSA-85c2-q967-79q5.phpt
new file mode 100644
index 00000000000..8bcac26ad18
--- /dev/null
+++ b/ext/soap/tests/GHSA-85c2-q967-79q5.phpt
@@ -0,0 +1,61 @@
+--TEST--
+GHSA-85c2-q967-79q5: Stale SOAP_GLOBAL(ref_map) pointer with Apache Map
+--CREDITS--
+brettgervasoni
+--EXTENSIONS--
+soap
+--FILE--
+<?php
+
+class Handler {
+ public function test(...$args) {
+ $GLOBALS['result'] = $args;
+ }
+}
+
+$envelope = <<<'XML'
+<?xml version="1.0" encoding="UTF-8"?>
+<soapenv:Envelope
+ xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:xsd="http://www.w3.org/2001/XMLSchema">
+
+ <soapenv:Body>
+ <test>
+ <map xsi:type="apache:Map" xmlns:apache="http://xml.apache.org/xml-soap">
+ <item>
+ <key>foo</key>
+ <value id="stale"><object>bar</object></value>
+ </item>
+ <item>
+ <key>foo</key>
+ <value>baz</value>
+ </item>
+ </map>
+ <stale href="#stale"/>
+ </test>
+ </soapenv:Body>
+</soapenv:Envelope>
+XML;
+
+$s = new SoapServer(null, ['uri' => 'urn:a']);
+$s->setClass(Handler::class);
+$s->handle($envelope);
+var_dump($result);
+
+?>
+--EXPECTF--
+<?xml version="1.0" encoding="UTF-8"?>
+<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="urn:a" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><ns1:testResponse><return xsi:nil="true"/></ns1:testResponse></SOAP-ENV:Body></SOAP-ENV:Envelope>
+array(2) {
+ [0]=>
+ array(1) {
+ ["foo"]=>
+ string(3) "baz"
+ }
+ [1]=>
+ object(stdClass)#%d (1) {
+ ["object"]=>
+ string(3) "bar"
+ }
+}
--
2.54.0
|
