summaryrefslogtreecommitdiffstats
path: root/php-cve-2026-7262.patch
blob: 27ec1ee6c3f79ec296b4cf30519957f5e6450852 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82

From 16c2b25d363d73d72a3139e747cc9d5c8d5bef2b Mon Sep 17 00:00:00 2001
From: Ilija Tovilo <ilija.tovilo@me.com>
Date: Sat, 25 Apr 2026 00:44:37 +0200
Subject: [PATCH 3/6] GHSA-hmxp-6pc4-f3vv: [soap] Fix broken Apache map value
 NULL check

Fixes GHSA-hmxp-6pc4-f3vv
Fixes CVE-2026-7262

(cherry picked from commit 79551ab8b1a97760c739e372f9bc359619f3554d)
(cherry picked from commit aed3e63e282235b32a07ca28cc20728eedfcfec3)
(cherry picked from commit 8c897384b867a573d52a04b455fe2da30671d0ea)
(cherry picked from commit b41a11a9786cc5b6b343b47c37ad8c1fdc2dbf33)
(cherry picked from commit 254773b5b1d0ef25409c35e74b87c5ef93459115)
(cherry picked from commit c21561700dcfc3304322845c2d3da028c3c73345)
---
 ext/soap/php_encoding.c                 |  2 +-
 ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt | 39 +++++++++++++++++++++++++
 2 files changed, 40 insertions(+), 1 deletion(-)
 create mode 100644 ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt

diff --git a/ext/soap/php_encoding.c b/ext/soap/php_encoding.c
index 85e4f94c89..1a6e0f28ba 100644
--- a/ext/soap/php_encoding.c
+++ b/ext/soap/php_encoding.c
@@ -2753,7 +2753,7 @@ static zval *to_zval_map(zval *ret, encodeTypePtr type, xmlNodePtr data)
 			}
 
 			xmlValue = get_node(item->children, "value");
-			if (!xmlKey) {
+			if (!xmlValue) {
 				soap_error0(E_ERROR,  "Encoding: Can't decode apache map, missing value");
 			}
 
diff --git a/ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt b/ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt
new file mode 100644
index 0000000000..e46ab2e460
--- /dev/null
+++ b/ext/soap/tests/GHSA-hmxp-6pc4-f3vv.phpt
@@ -0,0 +1,39 @@
+--TEST--
+GHSA-hmxp-6pc4-f3vv: Null pointer dereference on missing Apache map value
+--CREDITS--
+Ilia Alshanetsky (iliaal)
+--EXTENSIONS--
+soap
+--FILE--
+<?php
+
+$request = <<<XML
+<?xml version="1.0" encoding="UTF-8"?>
+<soap:Envelope
+    xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+    xmlns:apache="http://xml.apache.org/xml-soap">
+
+    <soap:Body>
+        <test>
+            <map xsi:type="apache:Map">
+                <item><key>hello</key></item>
+            </map>
+        </test>
+    </soap:Body>
+</soap:Envelope>
+XML;
+
+$server = new SoapServer(null, [
+    'uri' => 'urn:test',
+    'typemap' => [['type_name' => 'anything']],
+]);
+$server->addFunction('test');
+function test($m) { return null; }
+$server->handle($request);
+
+?>
+--EXPECT--
+<?xml version="1.0" encoding="UTF-8"?>
+<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Server</faultcode><faultstring>SOAP-ERROR: Encoding: Can't decode apache map, missing value</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
-- 
2.54.0
generated by cgit (git 2.34.1) at 2026-05-15 20:16:41 +0000