path: root/php-cve-2026-7261.patch

From ab6fa685773d4efea4de2df4956c97ffd65637e2 Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Sun, 3 May 2026 19:57:16 +0200
Subject: [PATCH 2/6] GHSA-m33r-qmcv-p97q: [soap] Fix use-after-free after
 header parsing failure with SOAP_PERSISTENCE_SESSION

Fixes GHSA-m33r-qmcv-p97q
Fixes CVE-2026-7261

(cherry picked from commit db2a7f9348fd5dda5fd162061786a664c417bf5b)
(cherry picked from commit 5dd8dd8493d49bb6fcd810a6e9d2ffb6fdc15714)
(cherry picked from commit 63cf032e9675d7d2bbc007c8c787597187a7567b)
(cherry picked from commit dd14d36e31dd99b7589f917924840fe4f46ca022)
(cherry picked from commit 7b354983a33c314b76c594c9c5b790e3b073dcf1)

adapt test for 7.2

(cherry picked from commit f91bcf961ac15eacabf33f86f62c17dbec4a39ab)
---
 ext/soap/soap.c                         | 12 ++++-
 ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt | 60 +++++++++++++++++++++++++
 2 files changed, 70 insertions(+), 2 deletions(-)
 create mode 100644 ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt

diff --git a/ext/soap/soap.c b/ext/soap/soap.c
index a1f4cccdbe..e5f729fe42 100644
--- a/ext/soap/soap.c
+++ b/ext/soap/soap.c
@@ -1835,13 +1835,21 @@ PHP_METHOD(SoapServer, handle)
 					php_output_discard();
 					soap_server_fault_ex(function, &h->retval, h);
 					efree(fn_name);
-					if (service->type == SOAP_CLASS && soap_obj) {zval_ptr_dtor(soap_obj);}
+					if (service->type == SOAP_CLASS && soap_obj) {
+						if (service->soap_class.persistence != SOAP_PERSISTENCE_SESSION) {
+							zval_ptr_dtor(soap_obj);
+						}
+					}
 					goto fail;
 				} else if (EG(exception)) {
 					php_output_discard();
 					_soap_server_exception(service, function, getThis());
 					efree(fn_name);
-					if (service->type == SOAP_CLASS && soap_obj) {zval_ptr_dtor(soap_obj);}
+					if (service->type == SOAP_CLASS && soap_obj) {
+						if (service->soap_class.persistence != SOAP_PERSISTENCE_SESSION) {
+							zval_ptr_dtor(soap_obj);
+						}
+					}
 					goto fail;
 				}
 			} else if (h->mustUnderstand) {
diff --git a/ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt b/ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt
new file mode 100644
index 0000000000..6e4e9e75fb
--- /dev/null
+++ b/ext/soap/tests/GHSA-m33r-qmcv-p97q.phpt
@@ -0,0 +1,60 @@
+--TEST--
+GHSA-m33r-qmcv-p97q: Use-after-free after header parsing failure with SOAP_PERSISTENCE_SESSION
+--CREDITS--
+Ilia Alshanetsky (iliaal)
+--EXTENSIONS--
+soap
+session
+--FILE--
+<?php
+
+class Handler {
+    public function return()  {
+        return new SoapFault('Server', 'denied');
+    }
+    public function throw()  {
+        throw new SoapFault('Server', 'denied');
+    }
+    public function hello() {
+        return 'ok';
+    }
+}
+
+session_start();
+
+$srv = new SoapServer(null, ['uri' => 'urn:a']);
+$srv->setClass(Handler::class);
+$srv->setPersistence(SOAP_PERSISTENCE_SESSION);
+
+$x = <<<XML
+<?xml version="1.0" encoding="UTF-8"?>
+<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:a="urn:a">
+    <soap:Header>
+        <a:return/>
+    </soap:Header>
+    <soap:Body>
+        <a:hello/>
+    </soap:Body>
+</soap:Envelope>
+XML;
+$srv->handle($x);
+
+$x = <<<XML
+<?xml version="1.0" encoding="UTF-8"?>
+<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:a="urn:a">
+    <soap:Header>
+        <a:throw/>
+    </soap:Header>
+    <soap:Body>
+        <a:hello/>
+    </soap:Body>
+</soap:Envelope>
+XML;
+$srv->handle($x);
+
+?>
+--EXPECT--
+<?xml version="1.0" encoding="UTF-8"?>
+<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Server</faultcode><faultstring>denied</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
+<?xml version="1.0" encoding="UTF-8"?>
+<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Server</faultcode><faultstring>denied</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
-- 
2.54.0