From: Stanislav Malyshev <stas@php.net>
Date: Mon, 22 Feb 2016 07:45:57 +0000 (-0800)
Subject: Fix bug #71610: Type Confusion Vulnerability - SOAP / make_http_soap_request()
X-Git-Tag: php-7.0.4~3
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=07b6fc93b11b46926db6e7c02f90c84981a40c33;p=php

Fix bug #71610: Type Confusion Vulnerability - SOAP / make_http_soap_request()
---

diff --git a/ext/soap/php_http.c b/ext/soap/php_http.c
index 2baa0fa3ff..a2d0b6207d 100644
--- a/ext/soap/php_http.c
+++ b/ext/soap/php_http.c
@@ -833,8 +833,10 @@ try_again:
 						    Z_TYPE_P(value) == IS_STRING) {
 						  zval *tmp;
 						  if (((tmp = zend_hash_index_find(Z_ARRVAL_P(data), 1)) == NULL ||
+							   Z_TYPE_P(tmp) != IS_STRING ||
 						       strncmp(phpurl->path?phpurl->path:"/",Z_STRVAL_P(tmp),Z_STRLEN_P(tmp)) == 0) &&
 						      ((tmp = zend_hash_index_find(Z_ARRVAL_P(data), 2)) == NULL ||
+							   Z_TYPE_P(tmp) != IS_STRING ||
 						       in_domain(phpurl->host,Z_STRVAL_P(tmp))) &&
 						      (use_ssl || (tmp = zend_hash_index_find(Z_ARRVAL_P(data), 3)) == NULL)) {
 								smart_str_append(&soap_headers, key);
diff --git a/ext/soap/tests/bug71610.phpt b/ext/soap/tests/bug71610.phpt
new file mode 100644
index 0000000000..4f1c7162ff
--- /dev/null
+++ b/ext/soap/tests/bug71610.phpt
@@ -0,0 +1,15 @@
+--TEST--
+SOAP Bug #71610 - Type Confusion Vulnerability - SOAP / make_http_soap_request()
+--SKIPIF--
+<?php require_once('skipif.inc'); ?>
+--FILE--
+<?php
+$exploit = unserialize('O:10:"SoapClient":3:{s:3:"uri";s:1:"a";s:8:"location";s:19:"http://testuri.org/";s:8:"_cookies";a:1:{s:8:"manhluat";a:3:{i:0;s:0:"";i:1;N;i:2;N;}}}}');
+try {
+$exploit->blahblah();
+} catch(SoapFault $e) {
+	echo $e->getMessage()."\n";
+}
+?>
+--EXPECT--
+looks like we got no XML document