1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
|
From f91ab4e04bc2f254ea1e49e1b76ff55adbbe3892 Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Sun, 3 May 2026 19:57:16 +0200
Subject: [PATCH 2/6] GHSA-m33r-qmcv-p97q: [soap] Fix use-after-free after
header parsing failure with SOAP_PERSISTENCE_SESSION
Fixes GHSA-m33r-qmcv-p97q
Fixes CVE-2026-7261
(cherry picked from commit db2a7f9348fd5dda5fd162061786a664c417bf5b)
(cherry picked from commit 5dd8dd8493d49bb6fcd810a6e9d2ffb6fdc15714)
(cherry picked from commit 63cf032e9675d7d2bbc007c8c787597187a7567b)
(cherry picked from commit dd14d36e31dd99b7589f917924840fe4f46ca022)
(cherry picked from commit 7b354983a33c314b76c594c9c5b790e3b073dcf1)
adapt test for 7.2
(cherry picked from commit f91bcf961ac15eacabf33f86f62c17dbec4a39ab)
(cherry picked from commit ab6fa685773d4efea4de2df4956c97ffd65637e2)
---
ext/soap/soap.c | 12 ++++-
ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt | 60 +++++++++++++++++++++++++
2 files changed, 70 insertions(+), 2 deletions(-)
create mode 100644 ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt
diff --git a/ext/soap/soap.c b/ext/soap/soap.c
index 62b119fb2bf..e436c278760 100644
--- a/ext/soap/soap.c
+++ b/ext/soap/soap.c
@@ -1839,13 +1839,21 @@ PHP_METHOD(SoapServer, handle)
php_output_discard();
soap_server_fault_ex(function, &h->retval, h);
efree(fn_name);
- if (service->type == SOAP_CLASS && soap_obj) {zval_ptr_dtor(soap_obj);}
+ if (service->type == SOAP_CLASS && soap_obj) {
+ if (service->soap_class.persistence != SOAP_PERSISTENCE_SESSION) {
+ zval_ptr_dtor(soap_obj);
+ }
+ }
goto fail;
} else if (EG(exception)) {
php_output_discard();
_soap_server_exception(service, function, getThis());
efree(fn_name);
- if (service->type == SOAP_CLASS && soap_obj) {zval_ptr_dtor(soap_obj);}
+ if (service->type == SOAP_CLASS && soap_obj) {
+ if (service->soap_class.persistence != SOAP_PERSISTENCE_SESSION) {
+ zval_ptr_dtor(soap_obj);
+ }
+ }
goto fail;
}
} else if (h->mustUnderstand) {
diff --git a/ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt b/ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt
new file mode 100644
index 00000000000..6e4e9e75fb6
--- /dev/null
+++ b/ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt
@@ -0,0 +1,60 @@
+--TEST--
+GHSA-m33r-qmcv-p97q: Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION
+--CREDITS--
+Ilia Alshanetsky (iliaal)
+--EXTENSIONS--
+soap
+session
+--FILE--
+<?php
+
+class Handler {
+ public function return() {
+ return new SoapFault('Server', 'denied');
+ }
+ public function throw() {
+ throw new SoapFault('Server', 'denied');
+ }
+ public function hello() {
+ return 'ok';
+ }
+}
+
+session_start();
+
+$srv = new SoapServer(null, ['uri' => 'urn:a']);
+$srv->setClass(Handler::class);
+$srv->setPersistence(SOAP_PERSISTENCE_SESSION);
+
+$x = <<<XML
+<?xml version="1.0" encoding="UTF-8"?>
+<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:a="urn:a">
+ <soap:Header>
+ <a:return/>
+ </soap:Header>
+ <soap:Body>
+ <a:hello/>
+ </soap:Body>
+</soap:Envelope>
+XML;
+$srv->handle($x);
+
+$x = <<<XML
+<?xml version="1.0" encoding="UTF-8"?>
+<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:a="urn:a">
+ <soap:Header>
+ <a:throw/>
+ </soap:Header>
+ <soap:Body>
+ <a:hello/>
+ </soap:Body>
+</soap:Envelope>
+XML;
+$srv->handle($x);
+
+?>
+--EXPECT--
+<?xml version="1.0" encoding="UTF-8"?>
+<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Server</faultcode><faultstring>denied</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
+<?xml version="1.0" encoding="UTF-8"?>
+<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Server</faultcode><faultstring>denied</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
--
2.54.0
|
