PHP :: Bug #54312 :: soap_version logic bug

Bug #54312	soap_version logic bug
Submitted:	2011-03-19 07:29 UTC	Modified:	2011-03-19 18:38 UTC
From:	tom at samplonius dot org	Assigned:	felipe (profile)
Status:	Closed	Package:	SOAP related
PHP Version:	5.3.6	OS:	CentOS 4
Private report:	No	CVE-ID:	None

[2011-03-19 07:29 UTC] tom at samplonius dot org

Description:
------------
This code in soap.c:

if (zend_hash_find(ht, "soap_version", sizeof("soap_version"), (void**)&tmp) == SUCCESS) {
  if (Z_TYPE_PP(tmp) == IS_LONG ||
    (Z_LVAL_PP(tmp) == SOAP_1_1 && Z_LVAL_PP(tmp) == SOAP_1_2)) {
      version = Z_LVAL_PP(tmp);
  }
}

has a problem with the second line of the inner if statement.  Z_LVAL_PP(tmp) can't be both equal to SOAP_1_1 and SOAP_1_2, so this part will always be false.

Plus, the "||" logic seems wrong too.  It appears that if the type is IS_LONG, then any value is accepted.  

Patch is attached.

It looks like the logic is inverted.  || should && and && should be ||:

if (zend_hash_find(ht, "soap_version", sizeof("soap_version"), (void**)&tmp) == SUCCESS) {
  if (Z_TYPE_PP(tmp) == IS_LONG &&
    (Z_LVAL_PP(tmp) == SOAP_1_1 || Z_LVAL_PP(tmp) == SOAP_1_2)) {
      version = Z_LVAL_PP(tmp);
  }
}

Patches

soap.c.patch (last revision 2011-03-19 06:30 UTC by tom at samplonius dot org)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2011-03-19 18:38 UTC] felipe@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: felipe

[2011-03-19 18:38 UTC] felipe@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Thanks for the patch! :)