According to the DOM standard, elements may only contain element, text,
processing instruction and comment nodes[1]. It is also specified that
a HierarchyRequestError should be thrown if a document is to be
inserted[2]. We follow that standard, and prevent the use-after-free
this way.
[1] <https://dom.spec.whatwg.org/#node-trees>
[2] <https://dom.spec.whatwg.org/#mutation-algorithms>
Closes GH-6765.
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
?? ??? 2021, PHP 7.4.18
+- DOM:
+ . Fixed bug #66783 (UAF when appending DOMDocument to element). (cmb)
01 Apr 2021, PHP 7.4.17
{
xmlNodePtr nodep;
- if (parent == NULL || child == NULL || child->doc != parent->doc) {
- return SUCCESS;
- }
+ if (parent == NULL || child == NULL || child->doc != parent->doc) {
+ return SUCCESS;
+ }
+
+ if (child->type == XML_DOCUMENT_NODE) {
+ return FAILURE;
+ }
nodep = parent;
--- /dev/null
+--TEST--
+Bug #66783 (UAF when appending DOMDocument to element)
+--SKIPIF--
+<?php
+if (!extension_loaded('dom')) die('skip dom extension not available');
+?>
+--FILE--
+<?php
+$doc = new DomDocument;
+$doc->loadXML('<root></root>');
+$e = $doc->createElement('e');
+try {
+ $e->appendChild($doc);
+} catch (DOMException $ex) {
+ echo $ex->getMessage(), PHP_EOL;
+}
+?>
+--EXPECTF--
+Hierarchy Request Error
projects / php / commitdiff