Fix bug #71610: Type Confusion Vulnerability - SOAP / make_http_soap_request()

diff --git a/ext/soap/php_http.c b/ext/soap/php_http.c
index 2baa0fa3ff74e2940be80f4519cc46c06a255123..a2d0b6207d7db7ef54a6aa175915846498ae75d7 100644 (file)
--- a/ext/soap/php_http.c
+++ b/ext/soap/php_http.c
@@ -833,8 +833,10 @@ try_again:
                                                    Z_TYPE_P(value) == IS_STRING) {
                                                  zval *tmp;
                                                  if (((tmp = zend_hash_index_find(Z_ARRVAL_P(data), 1)) == NULL ||
+                                                          Z_TYPE_P(tmp) != IS_STRING ||
                                                       strncmp(phpurl->path?phpurl->path:"/",Z_STRVAL_P(tmp),Z_STRLEN_P(tmp)) == 0) &&
                                                      ((tmp = zend_hash_index_find(Z_ARRVAL_P(data), 2)) == NULL ||
+                                                          Z_TYPE_P(tmp) != IS_STRING ||
                                                       in_domain(phpurl->host,Z_STRVAL_P(tmp))) &&
                                                      (use_ssl || (tmp = zend_hash_index_find(Z_ARRVAL_P(data), 3)) == NULL)) {
                                                                smart_str_append(&soap_headers, key);

diff --git a/ext/soap/tests/bug71610.phpt b/ext/soap/tests/bug71610.phpt
new file mode 100644 (file)
index 0000000..4f1c716
--- /dev/null
+++ b/ext/soap/tests/bug71610.phpt
@@ -0,0 +1,15 @@
+--TEST--
+SOAP Bug #71610 - Type Confusion Vulnerability - SOAP / make_http_soap_request()
+--SKIPIF--
+<?php require_once('skipif.inc'); ?>
+--FILE--
+<?php
+$exploit = unserialize('O:10:"SoapClient":3:{s:3:"uri";s:1:"a";s:8:"location";s:19:"http://testuri.org/";s:8:"_cookies";a:1:{s:8:"manhluat";a:3:{i:0;s:0:"";i:1;N;i:2;N;}}}}');
+try {
+$exploit->blahblah();
+} catch(SoapFault $e) {
+       echo $e->getMessage()."\n";
+}
+?>
+--EXPECT--
+looks like we got no XML document