1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
|
From 5dd8dd8493d49bb6fcd810a6e9d2ffb6fdc15714 Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Sun, 3 May 2026 19:57:16 +0200
Subject: [PATCH 02/10] GHSA-m33r-qmcv-p97q: [soap] Fix use-after-free after
header parsing failure with SOAP_PERSISTENCE_SESSION
Fixes GHSA-m33r-qmcv-p97q
Fixes CVE-2026-7261
(cherry picked from commit db2a7f9348fd5dda5fd162061786a664c417bf5b)
---
ext/soap/soap.c | 12 ++++-
ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt | 58 +++++++++++++++++++++++++
2 files changed, 68 insertions(+), 2 deletions(-)
create mode 100644 ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt
diff --git a/ext/soap/soap.c b/ext/soap/soap.c
index 3bc713ca76b..bb8b664af58 100644
--- a/ext/soap/soap.c
+++ b/ext/soap/soap.c
@@ -1477,13 +1477,21 @@ PHP_METHOD(SoapServer, handle)
php_output_discard();
soap_server_fault_ex(function, &h->retval, h);
zend_string_release(fn_name);
- if (service->type == SOAP_CLASS && soap_obj) {zval_ptr_dtor(soap_obj);}
+ if (service->type == SOAP_CLASS && soap_obj) {
+ if (service->soap_class.persistence != SOAP_PERSISTENCE_SESSION) {
+ zval_ptr_dtor(soap_obj);
+ }
+ }
goto fail;
} else if (EG(exception)) {
php_output_discard();
_soap_server_exception(service, function, ZEND_THIS);
zend_string_release(fn_name);
- if (service->type == SOAP_CLASS && soap_obj) {zval_ptr_dtor(soap_obj);}
+ if (service->type == SOAP_CLASS && soap_obj) {
+ if (service->soap_class.persistence != SOAP_PERSISTENCE_SESSION) {
+ zval_ptr_dtor(soap_obj);
+ }
+ }
goto fail;
}
} else if (h->mustUnderstand) {
diff --git a/ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt b/ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt
new file mode 100644
index 00000000000..bcf441ccd18
--- /dev/null
+++ b/ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt
@@ -0,0 +1,58 @@
+--TEST--
+GHSA-m33r-qmcv-p97q: Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION
+--CREDITS--
+Ilia Alshanetsky (iliaal)
+--EXTENSIONS--
+soap
+session
+--FILE--
+<?php
+
+class Handler {
+ public function return() {
+ return new SoapFault('Server', 'denied');
+ }
+ public function throw() {
+ throw new SoapFault('Server', 'denied');
+ }
+ public function hello() {
+ return 'ok';
+ }
+}
+
+session_start();
+
+$srv = new SoapServer(null, ['uri' => 'urn:a']);
+$srv->setClass(Handler::class);
+$srv->setPersistence(SOAP_PERSISTENCE_SESSION);
+
+$srv->handle(<<<XML
+<?xml version="1.0" encoding="UTF-8"?>
+<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:a="urn:a">
+ <soap:Header>
+ <a:return/>
+ </soap:Header>
+ <soap:Body>
+ <a:hello/>
+ </soap:Body>
+</soap:Envelope>
+XML);
+
+$srv->handle(<<<XML
+<?xml version="1.0" encoding="UTF-8"?>
+<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:a="urn:a">
+ <soap:Header>
+ <a:throw/>
+ </soap:Header>
+ <soap:Body>
+ <a:hello/>
+ </soap:Body>
+</soap:Envelope>
+XML);
+
+?>
+--EXPECT--
+<?xml version="1.0" encoding="UTF-8"?>
+<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Server</faultcode><faultstring>denied</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
+<?xml version="1.0" encoding="UTF-8"?>
+<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Server</faultcode><faultstring>denied</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
--
2.54.0
|
