1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
|
From 237b2b14cad370a25ddec00be93a9710003b5048 Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Sun, 3 May 2026 19:56:53 +0200
Subject: [PATCH 1/6] GHSA-85c2-q967-79q5: [soap] Fix stale
SOAP_GLOBAL(ref_map) pointer with Apache Map
Fixes GHSA-85c2-q967-79q5
Fixes CVE-2026-6722
(cherry picked from commit aee3b3ac9b816b0def1c462695b483b49a83148e)
(cherry picked from commit 15064460d6682766f91c1a841d27cdfbc38907e8)
(cherry picked from commit bbc1be3fc763b81707ccaa91a4cd1d439b753b12)
(cherry picked from commit 6c4b67ca091afea4f436202d7f9db38a129106dc)
(cherry picked from commit 017843d76d595ae97cb97eba4affd69501244571)
(cherry picked from commit 8fc3ed35cf67234da5201f64051e2ffa96d70f86)
(cherry picked from commit 7151aacadf978a14d06e09dd5899e8727f232056)
---
ext/soap/php_encoding.c | 3 +-
ext/soap/tests/GHSA-85c2-q967-79q5.phpt | 61 +++++++++++++++++++++++++
2 files changed, 63 insertions(+), 1 deletion(-)
create mode 100644 ext/soap/tests/GHSA-85c2-q967-79q5.phpt
diff --git a/ext/soap/php_encoding.c b/ext/soap/php_encoding.c
index 47afe2703c7..40fba95980a 100644
--- a/ext/soap/php_encoding.c
+++ b/ext/soap/php_encoding.c
@@ -381,6 +381,7 @@ static zend_bool soap_check_xml_ref(zval *data, xmlNodePtr node)
static void soap_add_xml_ref(zval *data, xmlNodePtr node)
{
if (SOAP_GLOBAL(ref_map)) {
+ Z_TRY_ADDREF_P(data);
zend_hash_index_update(SOAP_GLOBAL(ref_map), (zend_ulong)node, data);
}
}
@@ -3472,7 +3473,7 @@ void encode_reset_ns()
} else {
SOAP_GLOBAL(ref_map) = emalloc(sizeof(HashTable));
}
- zend_hash_init(SOAP_GLOBAL(ref_map), 0, NULL, NULL, 0);
+ zend_hash_init(SOAP_GLOBAL(ref_map), 0, NULL, ZVAL_PTR_DTOR, 0);
}
void encode_finish()
diff --git a/ext/soap/tests/GHSA-85c2-q967-79q5.phpt b/ext/soap/tests/GHSA-85c2-q967-79q5.phpt
new file mode 100644
index 00000000000..8bcac26ad18
--- /dev/null
+++ b/ext/soap/tests/GHSA-85c2-q967-79q5.phpt
@@ -0,0 +1,61 @@
+--TEST--
+GHSA-85c2-q967-79q5: Stale SOAP_GLOBAL(ref_map) pointer with Apache Map
+--CREDITS--
+brettgervasoni
+--EXTENSIONS--
+soap
+--FILE--
+<?php
+
+class Handler {
+ public function test(...$args) {
+ $GLOBALS['result'] = $args;
+ }
+}
+
+$envelope = <<<'XML'
+<?xml version="1.0" encoding="UTF-8"?>
+<soapenv:Envelope
+ xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:xsd="http://www.w3.org/2001/XMLSchema">
+
+ <soapenv:Body>
+ <test>
+ <map xsi:type="apache:Map" xmlns:apache="http://xml.apache.org/xml-soap">
+ <item>
+ <key>foo</key>
+ <value id="stale"><object>bar</object></value>
+ </item>
+ <item>
+ <key>foo</key>
+ <value>baz</value>
+ </item>
+ </map>
+ <stale href="#stale"/>
+ </test>
+ </soapenv:Body>
+</soapenv:Envelope>
+XML;
+
+$s = new SoapServer(null, ['uri' => 'urn:a']);
+$s->setClass(Handler::class);
+$s->handle($envelope);
+var_dump($result);
+
+?>
+--EXPECTF--
+<?xml version="1.0" encoding="UTF-8"?>
+<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="urn:a" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><ns1:testResponse><return xsi:nil="true"/></ns1:testResponse></SOAP-ENV:Body></SOAP-ENV:Envelope>
+array(2) {
+ [0]=>
+ array(1) {
+ ["foo"]=>
+ string(3) "baz"
+ }
+ [1]=>
+ object(stdClass)#%d (1) {
+ ["object"]=>
+ string(3) "bar"
+ }
+}
--
2.54.0
|
