Fix XSS within status endpointHEAD master

CVE-2026-6735 Fix Stale SOAP_GLOBAL(ref_map) pointer with Apache Map CVE-2026-6722 Fix Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION CVE-2026-7261 Fix Broken Apache map value NULL check CVE-2026-7262 Fix Signed integer overflow of char array offset CVE-2026-7568
author: Remi Collet <remi@remirepo.net> 2026-05-13 16:31:07 +0200
committer: Remi Collet <remi@php.net> 2026-05-13 16:31:07 +0200
commit: 11b950e90bcd9f0f3a7906cd3f2ae0c2e323f860 (patch)
tree: 625fdbf1da40e924f0daaf8e6a065643c9c08058 /php-cve-2026-6722.patch
parent: daf9b88c6cd0fe21b83f684e10dba7095d49605e (diff)
1 files changed, 113 insertions, 0 deletions
diff --git a/php-cve-2026-6722.patch b/php-cve-2026-6722.patch
new file mode 100644
index 0000000..735ee1d
--- /dev/null
+++ b/php-cve-2026-6722.patch
@@ -0,0 +1,113 @@
+From 237b2b14cad370a25ddec00be93a9710003b5048 Mon Sep 17 00:00:00 2001
+From: Ilija Tovilo <ilija.tovilo@me.com>
+Date: Sun, 3 May 2026 19:56:53 +0200
+Subject: [PATCH 1/6] GHSA-85c2-q967-79q5: [soap] Fix stale
+ SOAP_GLOBAL(ref_map) pointer with Apache Map
+
+Fixes GHSA-85c2-q967-79q5
+Fixes CVE-2026-6722
+
+(cherry picked from commit aee3b3ac9b816b0def1c462695b483b49a83148e)
+(cherry picked from commit 15064460d6682766f91c1a841d27cdfbc38907e8)
+(cherry picked from commit bbc1be3fc763b81707ccaa91a4cd1d439b753b12)
+(cherry picked from commit 6c4b67ca091afea4f436202d7f9db38a129106dc)
+(cherry picked from commit 017843d76d595ae97cb97eba4affd69501244571)
+(cherry picked from commit 8fc3ed35cf67234da5201f64051e2ffa96d70f86)
+(cherry picked from commit 7151aacadf978a14d06e09dd5899e8727f232056)
+---
+ ext/soap/php_encoding.c                 |  3 +-
+ ext/soap/tests/GHSA-85c2-q967-79q5.phpt | 61 +++++++++++++++++++++++++
+ 2 files changed, 63 insertions(+), 1 deletion(-)
+ create mode 100644 ext/soap/tests/GHSA-85c2-q967-79q5.phpt
+
+diff --git a/ext/soap/php_encoding.c b/ext/soap/php_encoding.c
+index 47afe2703c7..40fba95980a 100644
+--- a/ext/soap/php_encoding.c
++++ b/ext/soap/php_encoding.c
+@@ -381,6 +381,7 @@ static zend_bool soap_check_xml_ref(zval *data, xmlNodePtr node)
+ static void soap_add_xml_ref(zval *data, xmlNodePtr node)
+ {
+ 	if (SOAP_GLOBAL(ref_map)) {
++		Z_TRY_ADDREF_P(data);
+ 		zend_hash_index_update(SOAP_GLOBAL(ref_map), (zend_ulong)node, data);
+ 	}
+ }
+@@ -3472,7 +3473,7 @@ void encode_reset_ns()
+ 	} else {
+ 		SOAP_GLOBAL(ref_map) = emalloc(sizeof(HashTable));
+ 	}
+-	zend_hash_init(SOAP_GLOBAL(ref_map), 0, NULL, NULL, 0);
++	zend_hash_init(SOAP_GLOBAL(ref_map), 0, NULL, ZVAL_PTR_DTOR, 0);
+ }
+ 
+ void encode_finish()
+diff --git a/ext/soap/tests/GHSA-85c2-q967-79q5.phpt b/ext/soap/tests/GHSA-85c2-q967-79q5.phpt
+new file mode 100644
+index 00000000000..8bcac26ad18
+--- /dev/null
++++ b/ext/soap/tests/GHSA-85c2-q967-79q5.phpt
+@@ -0,0 +1,61 @@
++--TEST--
++GHSA-85c2-q967-79q5: Stale SOAP_GLOBAL(ref_map) pointer with Apache Map
++--CREDITS--
++brettgervasoni
++--EXTENSIONS--
++soap
++--FILE--
++<?php
++
++class Handler {
++    public function test(...$args) {
++        $GLOBALS['result'] = $args;
++    }
++}
++
++$envelope = <<<'XML'
++<?xml version="1.0" encoding="UTF-8"?>
++<soapenv:Envelope
++    xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
++    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
++    xmlns:xsd="http://www.w3.org/2001/XMLSchema">
++
++    <soapenv:Body>
++        <test>
++            <map xsi:type="apache:Map" xmlns:apache="http://xml.apache.org/xml-soap">
++                <item>
++                    <key>foo</key>
++                    <value id="stale"><object>bar</object></value>
++                </item>
++                <item>
++                    <key>foo</key>
++                    <value>baz</value>
++                </item>
++            </map>
++            <stale href="#stale"/>
++        </test>
++    </soapenv:Body>
++</soapenv:Envelope>
++XML;
++
++$s = new SoapServer(null, ['uri' => 'urn:a']);
++$s->setClass(Handler::class);
++$s->handle($envelope);
++var_dump($result);
++
++?>
++--EXPECTF--
++<?xml version="1.0" encoding="UTF-8"?>
++<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="urn:a" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><ns1:testResponse><return xsi:nil="true"/></ns1:testResponse></SOAP-ENV:Body></SOAP-ENV:Envelope>
++array(2) {
++  [0]=>
++  array(1) {
++    ["foo"]=>
++    string(3) "baz"
++  }
++  [1]=>
++  object(stdClass)#%d (1) {
++    ["object"]=>
++    string(3) "bar"
++  }
++}
+-- 
+2.54.0
+
author	Remi Collet <remi@remirepo.net>	2026-05-13 16:31:07 +0200
committer	Remi Collet <remi@php.net>	2026-05-13 16:31:07 +0200
commit	11b950e90bcd9f0f3a7906cd3f2ae0c2e323f860 (patch)
tree	625fdbf1da40e924f0daaf8e6a065643c9c08058 /php-cve-2026-6722.patch
parent	daf9b88c6cd0fe21b83f684e10dba7095d49605e (diff)