Commit 8f9a8c00e79 for php.net
commit 8f9a8c00e79ed8af19d4f4bf00183e80129805d3
Author: ndossche <7771979+ndossche@users.noreply.github.com>
Date: Thu Mar 12 19:24:51 2026 +0100
Fix GH-21421: SoapClient typemap property breaks engine assumptions
The conversion away from resources introduced the contents of the
typemap property, which internally uses IS_PTR zvals.
These should never be exposed because to userland they break engine
assumptions. To solve this, we hide this in an internal field.
We also disable cloning in the process which is broken in most cases
because it doesn't clone internal data.
Closes GH-21422.
diff --git a/NEWS b/NEWS
index 509e5398563..55b0d28000b 100644
--- a/NEWS
+++ b/NEWS
@@ -104,6 +104,8 @@ PHP NEWS
- Soap:
. Soap::__setCookie() when cookie name is a digit is now not stored and
represented as a string anymore but a int. (David Carlier)
+ . Fixed bug GH-21421 (SoapClient typemap property breaks engine assumptions).
+ (ndossche)
- Sockets:
. Added the TCP_USER_TIMEOUT constant for Linux to set the maximum time in
diff --git a/ext/soap/php_soap.h b/ext/soap/php_soap.h
index aa3fb79e570..8ae2cebf0d6 100644
--- a/ext/soap/php_soap.h
+++ b/ext/soap/php_soap.h
@@ -226,35 +226,34 @@ static zend_always_inline zval *php_soap_deref(zval *zv) {
#define Z_CLIENT_TRACE_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 4)
#define Z_CLIENT_COMPRESSION_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 5)
#define Z_CLIENT_SDL_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 6)
-#define Z_CLIENT_TYPEMAP_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 7)
-#define Z_CLIENT_HTTPSOCKET_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 8)
-#define Z_CLIENT_HTTPURL_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 9)
-#define Z_CLIENT_LOGIN_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 10)
-#define Z_CLIENT_PASSWORD_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 11)
-#define Z_CLIENT_USE_DIGEST_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 12)
-#define Z_CLIENT_DIGEST_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 13)
-#define Z_CLIENT_PROXY_HOST_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 14)
-#define Z_CLIENT_PROXY_PORT_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 15)
-#define Z_CLIENT_PROXY_LOGIN_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 16)
-#define Z_CLIENT_PROXY_PASSWORD_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 17)
-#define Z_CLIENT_EXCEPTIONS_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 18)
-#define Z_CLIENT_ENCODING_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 19)
-#define Z_CLIENT_CLASSMAP_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 20)
-#define Z_CLIENT_FEATURES_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 21)
-#define Z_CLIENT_CONNECTION_TIMEOUT_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 22)
-#define Z_CLIENT_STREAM_CONTEXT_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 23)
-#define Z_CLIENT_USER_AGENT_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 24)
-#define Z_CLIENT_KEEP_ALIVE_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 25)
-#define Z_CLIENT_SSL_METHOD_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 26)
-#define Z_CLIENT_SOAP_VERSION_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 27)
-#define Z_CLIENT_USE_PROXY_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 28)
-#define Z_CLIENT_COOKIES_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 29)
-#define Z_CLIENT_DEFAULT_HEADERS_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 30)
-#define Z_CLIENT_SOAP_FAULT_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 31)
-#define Z_CLIENT_LAST_REQUEST_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 32)
-#define Z_CLIENT_LAST_RESPONSE_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 33)
-#define Z_CLIENT_LAST_REQUEST_HEADERS_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 34)
-#define Z_CLIENT_LAST_RESPONSE_HEADERS_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 35)
+#define Z_CLIENT_HTTPSOCKET_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 7)
+#define Z_CLIENT_HTTPURL_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 8)
+#define Z_CLIENT_LOGIN_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 9)
+#define Z_CLIENT_PASSWORD_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 10)
+#define Z_CLIENT_USE_DIGEST_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 11)
+#define Z_CLIENT_DIGEST_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 12)
+#define Z_CLIENT_PROXY_HOST_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 13)
+#define Z_CLIENT_PROXY_PORT_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 14)
+#define Z_CLIENT_PROXY_LOGIN_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 15)
+#define Z_CLIENT_PROXY_PASSWORD_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 16)
+#define Z_CLIENT_EXCEPTIONS_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 17)
+#define Z_CLIENT_ENCODING_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 18)
+#define Z_CLIENT_CLASSMAP_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 19)
+#define Z_CLIENT_FEATURES_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 20)
+#define Z_CLIENT_CONNECTION_TIMEOUT_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 21)
+#define Z_CLIENT_STREAM_CONTEXT_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 22)
+#define Z_CLIENT_USER_AGENT_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 23)
+#define Z_CLIENT_KEEP_ALIVE_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 24)
+#define Z_CLIENT_SSL_METHOD_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 25)
+#define Z_CLIENT_SOAP_VERSION_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 26)
+#define Z_CLIENT_USE_PROXY_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 27)
+#define Z_CLIENT_COOKIES_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 28)
+#define Z_CLIENT_DEFAULT_HEADERS_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 29)
+#define Z_CLIENT_SOAP_FAULT_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 30)
+#define Z_CLIENT_LAST_REQUEST_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 31)
+#define Z_CLIENT_LAST_RESPONSE_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 32)
+#define Z_CLIENT_LAST_REQUEST_HEADERS_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 33)
+#define Z_CLIENT_LAST_RESPONSE_HEADERS_P(zv) OBJ_PROP_NUM(Z_OBJ_P(zv), 34)
typedef struct soap_url_object {
php_uri *uri;
diff --git a/ext/soap/soap.c b/ext/soap/soap.c
index c06ca0f4a1f..f899e9f1133 100644
--- a/ext/soap/soap.c
+++ b/ext/soap/soap.c
@@ -190,6 +190,7 @@ zend_class_entry* soap_var_class_entry;
zend_class_entry *soap_url_class_entry;
zend_class_entry *soap_sdl_class_entry;
+static zend_object_handlers soap_client_object_handlers;
static zend_object_handlers soap_server_object_handlers;
static zend_object_handlers soap_url_object_handlers;
static zend_object_handlers soap_sdl_object_handlers;
@@ -201,10 +202,36 @@ typedef struct {
zend_object std;
} soap_server_object;
+typedef struct {
+ HashTable *typemap;
+ zend_object std;
+} soap_client_object;
+
+static inline soap_client_object *soap_client_object_fetch(zend_object *obj) {
+ return (soap_client_object *) ((char *) obj - XtOffsetOf(soap_client_object, std));
+}
+
static inline soap_server_object *soap_server_object_fetch(zend_object *obj) {
return (soap_server_object *) ((char *) obj - XtOffsetOf(soap_server_object, std));
}
+static zend_object *soap_client_object_create(zend_class_entry *ce)
+{
+ soap_client_object *obj = zend_object_alloc(sizeof(soap_client_object), ce);
+ zend_object_std_init(&obj->std, ce);
+ object_properties_init(&obj->std, ce);
+ return &obj->std;
+}
+
+static void soap_client_object_free(zend_object *obj) {
+ soap_client_object *client_obj = soap_client_object_fetch(obj);
+ if (client_obj->typemap) {
+ zend_hash_destroy(client_obj->typemap);
+ FREE_HASHTABLE(client_obj->typemap);
+ }
+ zend_object_std_dtor(obj);
+}
+
static zend_object *soap_server_object_create(zend_class_entry *ce)
{
soap_server_object *obj = zend_object_alloc(sizeof(soap_server_object), ce);
@@ -503,6 +530,13 @@ PHP_MINIT_FUNCTION(soap)
/* Register SoapClient class */
soap_class_entry = register_class_SoapClient();
+ soap_class_entry->create_object = soap_client_object_create;
+ soap_class_entry->default_object_handlers = &soap_client_object_handlers;
+
+ memcpy(&soap_client_object_handlers, &std_object_handlers, sizeof(zend_object_handlers));
+ soap_client_object_handlers.offset = XtOffsetOf(soap_client_object, std);
+ soap_client_object_handlers.free_obj = soap_client_object_free;
+ soap_client_object_handlers.clone_obj = NULL;
/* Register SoapVar class */
soap_var_class_entry = register_class_SoapVar();
@@ -1993,6 +2027,7 @@ PHP_FUNCTION(is_soap_fault)
/* SoapClient functions */
/* {{{ SoapClient constructor */
+/* FIXME: double construct call will break this class */
PHP_METHOD(SoapClient, __construct)
{
@@ -2216,10 +2251,7 @@ PHP_METHOD(SoapClient, __construct)
}
if (typemap_ht) {
- HashTable *typemap = soap_create_typemap(sdl, typemap_ht);
- if (typemap) {
- ZVAL_ARR(Z_CLIENT_TYPEMAP_P(this_ptr), typemap);
- }
+ soap_client_object_fetch(Z_OBJ_P(this_ptr))->typemap = soap_create_typemap(sdl, typemap_ht);
}
SOAP_CLIENT_END_CODE();
}
@@ -2347,10 +2379,7 @@ static void do_soap_call(zend_execute_data *execute_data,
sdl = Z_SOAP_SDL_P(tmp)->sdl;
}
- tmp = Z_CLIENT_TYPEMAP_P(this_ptr);
- if (Z_TYPE_P(tmp) == IS_ARRAY) {
- typemap = Z_ARR_P(tmp);
- }
+ typemap = soap_client_object_fetch(Z_OBJ_P(this_ptr))->typemap;
clear_soap_fault(this_ptr);
diff --git a/ext/soap/soap.stub.php b/ext/soap/soap.stub.php
index 851b32042bd..fdd4a46e109 100644
--- a/ext/soap/soap.stub.php
+++ b/ext/soap/soap.stub.php
@@ -541,7 +541,6 @@ class SoapClient
private bool $trace = false;
private ?int $compression = null;
private ?Soap\Sdl $sdl = null;
- private ?array $typemap = null;
/** @var resource|null */
private $httpsocket = null;
private ?Soap\Url $httpurl = null;
diff --git a/ext/soap/soap_arginfo.h b/ext/soap/soap_arginfo.h
index e3fdd48e58f..2f7d56ca422 100644
Binary files a/ext/soap/soap_arginfo.h and b/ext/soap/soap_arginfo.h differ
diff --git a/ext/soap/tests/bugs/gh21421.phpt b/ext/soap/tests/bugs/gh21421.phpt
new file mode 100644
index 00000000000..1b8bb3be716
--- /dev/null
+++ b/ext/soap/tests/bugs/gh21421.phpt
@@ -0,0 +1,90 @@
+--TEST--
+GH-21421 (SoapClient typemap property breaks engine assumptions)
+--EXTENSIONS--
+soap
+--FILE--
+<?php
+$options = array(
+'uri' => 'http://schemas.nothing.com',
+'location' => 'test://',
+'typemap' => array(array("type_ns" => "http://schemas.nothing.com",
+"type_name" => "book",
+"from_xml" => "book_from_xml"))
+);
+$client = new SoapClient(NULL, $options);
+var_dump($client);
+?>
+--EXPECTF--
+object(SoapClient)#%d (35) {
+ ["uri":"SoapClient":private]=>
+ string(26) "http://schemas.nothing.com"
+ ["style":"SoapClient":private]=>
+ NULL
+ ["use":"SoapClient":private]=>
+ NULL
+ ["location":"SoapClient":private]=>
+ string(7) "test://"
+ ["trace":"SoapClient":private]=>
+ bool(false)
+ ["compression":"SoapClient":private]=>
+ NULL
+ ["sdl":"SoapClient":private]=>
+ NULL
+ ["httpsocket":"SoapClient":private]=>
+ NULL
+ ["httpurl":"SoapClient":private]=>
+ NULL
+ ["_login":"SoapClient":private]=>
+ NULL
+ ["_password":"SoapClient":private]=>
+ NULL
+ ["_use_digest":"SoapClient":private]=>
+ bool(false)
+ ["_digest":"SoapClient":private]=>
+ NULL
+ ["_proxy_host":"SoapClient":private]=>
+ NULL
+ ["_proxy_port":"SoapClient":private]=>
+ NULL
+ ["_proxy_login":"SoapClient":private]=>
+ NULL
+ ["_proxy_password":"SoapClient":private]=>
+ NULL
+ ["_exceptions":"SoapClient":private]=>
+ bool(true)
+ ["_encoding":"SoapClient":private]=>
+ NULL
+ ["_classmap":"SoapClient":private]=>
+ NULL
+ ["_features":"SoapClient":private]=>
+ NULL
+ ["_connection_timeout":"SoapClient":private]=>
+ int(0)
+ ["_stream_context":"SoapClient":private]=>
+ resource(%d) of type (stream-context)
+ ["_user_agent":"SoapClient":private]=>
+ NULL
+ ["_keep_alive":"SoapClient":private]=>
+ bool(true)
+ ["_ssl_method":"SoapClient":private]=>
+ NULL
+ ["_soap_version":"SoapClient":private]=>
+ int(1)
+ ["_use_proxy":"SoapClient":private]=>
+ NULL
+ ["_cookies":"SoapClient":private]=>
+ array(0) {
+ }
+ ["__default_headers":"SoapClient":private]=>
+ NULL
+ ["__soap_fault":"SoapClient":private]=>
+ NULL
+ ["__last_request":"SoapClient":private]=>
+ NULL
+ ["__last_response":"SoapClient":private]=>
+ NULL
+ ["__last_request_headers":"SoapClient":private]=>
+ NULL
+ ["__last_response_headers":"SoapClient":private]=>
+ NULL
+}