Skip to content

Instantly share code, notes, and snippets.

@smalyshev
Created Feb 22, 2016
Embed
What would you like to do?
commit eaf4e77190d402ea014207e9a7d5da1a4f3727ba
Author: Stanislav Malyshev <stas@php.net>
Date: Sun Feb 21 23:45:57 2016 -0800
Fix bug #71610: Type Confusion Vulnerability - SOAP / make_http_soap_request()
diff --git a/ext/soap/php_http.c b/ext/soap/php_http.c
index 2baa0fa..a2d0b62 100644
--- a/ext/soap/php_http.c
+++ b/ext/soap/php_http.c
@@ -833,8 +833,10 @@ try_again:
Z_TYPE_P(value) == IS_STRING) {
zval *tmp;
if (((tmp = zend_hash_index_find(Z_ARRVAL_P(data), 1)) == NULL ||
+ Z_TYPE_P(tmp) != IS_STRING ||
strncmp(phpurl->path?phpurl->path:"/",Z_STRVAL_P(tmp),Z_STRLEN_P(tmp)) == 0) &&
((tmp = zend_hash_index_find(Z_ARRVAL_P(data), 2)) == NULL ||
+ Z_TYPE_P(tmp) != IS_STRING ||
in_domain(phpurl->host,Z_STRVAL_P(tmp))) &&
(use_ssl || (tmp = zend_hash_index_find(Z_ARRVAL_P(data), 3)) == NULL)) {
smart_str_append(&soap_headers, key);
diff --git a/ext/soap/tests/bug71610.phpt b/ext/soap/tests/bug71610.phpt
new file mode 100644
index 0000000..4f1c716
--- /dev/null
+++ b/ext/soap/tests/bug71610.phpt
@@ -0,0 +1,15 @@
+--TEST--
+SOAP Bug #71610 - Type Confusion Vulnerability - SOAP / make_http_soap_request()
+--SKIPIF--
+<?php require_once('skipif.inc'); ?>
+--FILE--
+<?php
+$exploit = unserialize('O:10:"SoapClient":3:{s:3:"uri";s:1:"a";s:8:"location";s:19:"http://testuri.org/";s:8:"_cookies";a:1:{s:8:"manhluat";a:3:{i:0;s:0:"";i:1;N;i:2;N;}}}}');
+try {
+$exploit->blahblah();
+} catch(SoapFault $e) {
+ echo $e->getMessage()."\n";
+}
+?>
+--EXPECT--
+looks like we got no XML document
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment