From 4cd51d2ae8cfc95f3393faeea5fbefd09c769089 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Tue, 19 May 2026 11:50:05 +0200
Subject: Fix XSS within status endpoint

  CVE-2026-6735
Fix Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION
  CVE-2026-7261
Fix Broken Apache map value NULL check
  CVE-2026-7262
---
 php-cve-2026-7261.patch | 150 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 150 insertions(+)
 create mode 100644 php-cve-2026-7261.patch

(limited to 'php-cve-2026-7261.patch')

diff --git a/php-cve-2026-7261.patch b/php-cve-2026-7261.patch
new file mode 100644
index 0000000..e837601
--- /dev/null
+++ b/php-cve-2026-7261.patch
@@ -0,0 +1,150 @@
+From 7c59254cb466056131b09304c0d1001e6c434fe7 Mon Sep 17 00:00:00 2001
+From: Ilija Tovilo <ilija.tovilo@me.com>
+Date: Sun, 3 May 2026 19:57:16 +0200
+Subject: [PATCH 1/5] GHSA-m33r-qmcv-p97q: [soap] Fix use-after-free after
+ header parsing failure with SOAP_PERSISTENCE_SESSION
+
+Fixes GHSA-m33r-qmcv-p97q
+Fixes CVE-2026-7261
+
+(cherry picked from commit db2a7f9348fd5dda5fd162061786a664c417bf5b)
+(cherry picked from commit 5dd8dd8493d49bb6fcd810a6e9d2ffb6fdc15714)
+(cherry picked from commit 63cf032e9675d7d2bbc007c8c787597187a7567b)
+(cherry picked from commit dd14d36e31dd99b7589f917924840fe4f46ca022)
+(cherry picked from commit 7b354983a33c314b76c594c9c5b790e3b073dcf1)
+
+adapt test for 7.2
+
+(cherry picked from commit f91bcf961ac15eacabf33f86f62c17dbec4a39ab)
+(cherry picked from commit ab6fa685773d4efea4de2df4956c97ffd65637e2)
+(cherry picked from commit f91ab4e04bc2f254ea1e49e1b76ff55adbbe3892)
+
+adapt test for 5.6
+---
+ ext/soap/soap.c                         | 26 +++++++++--
+ ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt | 62 +++++++++++++++++++++++++
+ 2 files changed, 85 insertions(+), 3 deletions(-)
+ create mode 100644 ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt
+
+diff --git a/ext/soap/soap.c b/ext/soap/soap.c
+index 569701a469..21f11be7fa 100644
+--- a/ext/soap/soap.c
++++ b/ext/soap/soap.c
+@@ -1837,7 +1837,17 @@ PHP_METHOD(SoapServer, handle)
+ 					php_output_discard(TSRMLS_C);
+ 					soap_server_fault_ex(function, &h->retval, h TSRMLS_CC);
+ 					efree(fn_name);
+-					if (service->type == SOAP_CLASS && soap_obj) {zval_ptr_dtor(&soap_obj);}
++					if (service->type == SOAP_CLASS && soap_obj) {
++#if HAVE_PHP_SESSION && !defined(COMPILE_DL_SESSION)
++					    if (service->soap_class.persistance != SOAP_PERSISTENCE_SESSION) {
++						zval_ptr_dtor(&soap_obj);
++						soap_obj = NULL;
++					    }
++#else
++					    zval_ptr_dtor(&soap_obj);
++					    soap_obj = NULL;
++#endif
++					}
+ 					goto fail;
+ 				} else if (EG(exception)) {
+ 					php_output_discard(TSRMLS_C);
+@@ -1852,7 +1862,17 @@ PHP_METHOD(SoapServer, handle)
+ 						soap_server_fault_ex(function, EG(exception), h TSRMLS_CC);
+ 					}
+ 					efree(fn_name);
+-					if (service->type == SOAP_CLASS && soap_obj) {zval_ptr_dtor(&soap_obj);}
++					if (service->type == SOAP_CLASS && soap_obj) {
++#if HAVE_PHP_SESSION && !defined(COMPILE_DL_SESSION)
++					    if (service->soap_class.persistance != SOAP_PERSISTENCE_SESSION) {
++						zval_ptr_dtor(&soap_obj);
++						soap_obj = NULL;
++					    }
++#else
++					    zval_ptr_dtor(&soap_obj);
++					    soap_obj = NULL;
++#endif
++					}
+ 					goto fail;
+ 				}
+ 			} else if (h->mustUnderstand) {
+@@ -2838,7 +2858,7 @@ static void do_soap_call(zval* this_ptr,
+ 	} zend_catch {
+ 		_bailout = 1;
+ 	} zend_end_try();
+-	
++
+ 	if (SOAP_GLOBAL(encoding) != NULL) {
+ 		xmlCharEncCloseFunc(SOAP_GLOBAL(encoding));
+ 	}
+diff --git a/ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt b/ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt
+new file mode 100644
+index 0000000000..ae94c67c96
+--- /dev/null
++++ b/ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt
+@@ -0,0 +1,62 @@
++--TEST--
++GHSA-m33r-qmcv-p97q: Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION
++--CREDITS--
++Ilia Alshanetsky (iliaal)
++--EXTENSIONS--
++soap
++session
++--FILE--
++<?php
++
++class Handler {
++  function __call($name, $args) {
++    if ($name == "return") {
++        return new SoapFault('Server', 'denied');
++    } else if ($name == "throw") {
++        throw new SoapFault('Server', 'denied');
++    } else if ($name == "hello") {
++        return 'ok';
++    } else {
++      return new SoapFault("Server","Function $name doesn't exist");
++    }
++  }
++}
++
++session_start();
++
++$srv = new SoapServer(null, ['uri' => 'urn:a']);
++$srv->setClass(Handler::class);
++$srv->setPersistence(SOAP_PERSISTENCE_SESSION);
++
++$x = <<<XML
++<?xml version="1.0" encoding="UTF-8"?>
++<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:a="urn:a">
++    <soap:Header>
++        <a:return/>
++    </soap:Header>
++    <soap:Body>
++        <a:hello/>
++    </soap:Body>
++</soap:Envelope>
++XML;
++$srv->handle($x);
++
++$x = <<<XML
++<?xml version="1.0" encoding="UTF-8"?>
++<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:a="urn:a">
++    <soap:Header>
++        <a:throw/>
++    </soap:Header>
++    <soap:Body>
++        <a:hello/>
++    </soap:Body>
++</soap:Envelope>
++XML;
++$srv->handle($x);
++
++?>
++--EXPECT--
++<?xml version="1.0" encoding="UTF-8"?>
++<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Server</faultcode><faultstring>denied</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
++<?xml version="1.0" encoding="UTF-8"?>
++<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Server</faultcode><faultstring>denied</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
+-- 
+2.54.0
+
-- 
cgit