Skip to content

Commit 2b80fd9

Browse files
iluuu1994ericmann
iluuu1994
authored and
ericmann
committed
GHSA-m33r-qmcv-p97q: [soap] Fix use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION
Fixes GHSA-m33r-qmcv-p97q Fixes CVE-2026-7261
1 parent 64547ac commit 2b80fd9

2 files changed

Lines changed: 68 additions & 2 deletions

File tree

ext/soap/soap.c

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1444,12 +1444,20 @@ PHP_METHOD(SoapServer, handle)
14441444
instanceof_function(Z_OBJCE(h->retval), soap_fault_class_entry)) {
14451445
php_output_discard();
14461446
soap_server_fault_ex(function, &h->retval, h);
1447-
if (service->type == SOAP_CLASS && soap_obj) {zval_ptr_dtor(soap_obj);}
1447+
if (service->type == SOAP_CLASS && soap_obj) {
1448+
if (service->soap_class.persistence != SOAP_PERSISTENCE_SESSION) {
1449+
zval_ptr_dtor(soap_obj);
1450+
}
1451+
}
14481452
goto fail;
14491453
} else if (EG(exception)) {
14501454
php_output_discard();
14511455
_soap_server_exception(service, function, ZEND_THIS);
1452-
if (service->type == SOAP_CLASS && soap_obj) {zval_ptr_dtor(soap_obj);}
1456+
if (service->type == SOAP_CLASS && soap_obj) {
1457+
if (service->soap_class.persistence != SOAP_PERSISTENCE_SESSION) {
1458+
zval_ptr_dtor(soap_obj);
1459+
}
1460+
}
14531461
goto fail;
14541462
}
14551463
} else if (h->mustUnderstand) {

ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt

Lines changed: 58 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,58 @@
1+
--TEST--
2+
GHSA-m33r-qmcv-p97q: Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION
3+
--CREDITS--
4+
Ilia Alshanetsky (iliaal)
5+
--EXTENSIONS--
6+
soap
7+
session
8+
--FILE--
9+
<?php
10+
11+
class Handler {
12+
public function return() {
13+
return new SoapFault('Server', 'denied');
14+
}
15+
public function throw() {
16+
throw new SoapFault('Server', 'denied');
17+
}
18+
public function hello() {
19+
return 'ok';
20+
}
21+
}
22+
23+
session_start();
24+
25+
$srv = new SoapServer(null, ['uri' => 'urn:a']);
26+
$srv->setClass(Handler::class);
27+
$srv->setPersistence(SOAP_PERSISTENCE_SESSION);
28+
29+
$srv->handle(<<<XML
30+
<?xml version="1.0" encoding="UTF-8"?>
31+
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:a="urn:a">
32+
<soap:Header>
33+
<a:return/>
34+
</soap:Header>
35+
<soap:Body>
36+
<a:hello/>
37+
</soap:Body>
38+
</soap:Envelope>
39+
XML);
40+
41+
$srv->handle(<<<XML
42+
<?xml version="1.0" encoding="UTF-8"?>
43+
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:a="urn:a">
44+
<soap:Header>
45+
<a:throw/>
46+
</soap:Header>
47+
<soap:Body>
48+
<a:hello/>
49+
</soap:Body>
50+
</soap:Envelope>
51+
XML);
52+
53+
?>
54+
--EXPECT--
55+
<?xml version="1.0" encoding="UTF-8"?>
56+
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Server</faultcode><faultstring>denied</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
57+
<?xml version="1.0" encoding="UTF-8"?>
58+
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Server</faultcode><faultstring>denied</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>

0 commit comments

Comments
 (0)