Two issues:
1) We should not modify the object when we pass invalid values
2) We should reset the properties to their default value otherwise we
get a UAF.
Regressed in df219ccf9d
Closes GH-15248.
RFC 2617 and 7616 describe that for the "Authorization" header we should
not put the qop nor nc value inside quotes. This differs from the
WWW-Authenticate header, which may have been the source of the confusion
in the implementation. While the version with quotes seems to work fine
in some cases, clearly not all servers accept the non-standard form.
To fix the issue, simply removing the quotes of those two header fields
of the client request to be in line with the RFC suffices.
I refer further to example 3.5 in RFC 2617 and example 3.9.1 in
RFC 7616.
RFC 2617: https://datatracker.ietf.org/doc/html/rfc2617
RFC 7616: https://datatracker.ietf.org/doc/html/rfc7616
Closes GH-14328.
There's a hash table that maps type names to class name, but names with
a leading backslash are not supported. The engine has logic to strip
away the leading backslash that we should replicate here.
It works by checking if we need to make an actual copy in case an
unexpected (e.g. invalid data or leading backslash) situations are
detected. Upon making a copy we normalize the data in the table.
Furthermore, previously the code assumed that the key was always valid
and that the structure was a non-packed hash table. This isn't
necessarily the case. The new code fixes this as well.
Closes GH-14398.
There's a few leaks where the string is copied for lowercasing but not released.
Where possible, use the _lc functionality of zend_hash to do the lookup
to avoid the leaks that currently exist with the manual lowercasing.
Closes GH-14390.
zend_ini_long() actually expects the length without the NUL byte, but
we're passing the length *with* the NUL byte. This mess can actually be
avoided altogether by using INI_INT, so use that instead.
Closes GH-14382.
The naming of the userland functions is terrible and confused me.
gzdecode() is actually the function to decompress a gzip stream, and
gzuncompress() is the one to decompress a deflate stream...
See zlib.c to see the internal function -> type mapping.
The incorrect functions are being called to deal with incoming
compressed data.
gzip/x-gzip corresponds to gzuncompress(), while deflate corresponds to
gzinflate().
The existing code for gzip compression also plays with removing the
first 10 bytes (i.e. the gzip header) to pass it to the inflate
implementation but that doesn't always work properly due to trailer
data. Get rid of that entirely by using the correct functions.
Closes GH-14321.
If there are two users that can execute the script that caches a WSDL,
but the script is owned by a single user, then the caching code will
name the cached file with the file owner username and a hash of the uri.
When one of the two tries to rename the file created by the other
process, this does not work because it has no permission to do so.
This then leaves temporary files floating in the temp directory.
To fix the immediate problem, unlink the file after rename has failed.
On the long term, this has to be fixed by taking the username of the
process instead of the username of the file owner.
Closes GH-12841.
Setting the stream context via php_stream_context_to_zval() will
increase the reference count. So if the new context is created, then it
will end up with a reference count of 2 while it should be 1.
Credits to cmb for the analysis. I arrived at the same patch as he did.
Closes GH-12523.
When we have two processes both trying to cache a WSDL, they might start
writing the data to the same temporary file, causing file corruption due
to the race condition. Fix this by creating a temporary file first, and
then moving it to the final location. If moving fails then we know
another process finished caching first.
This also fixes#67617 as a consequence of its implementation.
Closes GH-12469.
There are two issues:
- UAF because the hashmap resized while being iterated over, yet the local
variables used internally in the macros are not updated.
- The hashmap being iterated over is modified: entries are deleted after
other entries have been added. This causes the deletion to fail sometimes
because indices of buckets have shifted.
Fix it by using a while loop iteration and HashPosition position tracker
instead.
Issue exists on PHP 8.1 too, but is much harder to trigger.
The test file reproduces the issue reliably on PHP 8.2 and up.
Closes GH-12409.
