Skip to content

Commit 7477efc

Browse files
devnexendevnexen
committed
ext/soap: Add test for Set-Cookie option parsing bug.
The cookie option parser uses a wrong offset to start scanning attributes, causing cookie values containing substrings like "path=" or "domain=" to be falsely matched as attributes.
1 parent 35d98cb commit 7477efc

1 file changed

Lines changed: 61 additions & 0 deletions

File tree

ext/soap/tests/bugs/cookie_parse_options_offset.phpt

Lines changed: 61 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,61 @@
1+
--TEST--
2+
SOAP Set-Cookie option parsing starts at wrong offset due to variable shadowing
3+
--EXTENSIONS--
4+
soap
5+
--SKIPIF--
6+
<?php
7+
if (!file_exists(__DIR__ . "/../../../../sapi/cli/tests/php_cli_server.inc")) {
8+
echo "skip sapi/cli/tests/php_cli_server.inc required but not found";
9+
}
10+
?>
11+
--FILE--
12+
<?php
13+
14+
include __DIR__ . "/../../../../sapi/cli/tests/php_cli_server.inc";
15+
16+
$args = ["-d", "extension_dir=" . ini_get("extension_dir"), "-d", "extension=" . (substr(PHP_OS, 0, 3) == "WIN" ? "php_" : "") . "soap." . PHP_SHLIB_SUFFIX];
17+
if (php_ini_loaded_file()) {
18+
$args[] = "-c";
19+
$args[] = php_ini_loaded_file();
20+
}
21+
22+
// A 10-char name makes the wrong offset land exactly on the value "path=/evil",
23+
// falsely matching it as a path attribute.
24+
$code = <<<'PHP'
25+
header("Content-Type: text/xml");
26+
header("Set-Cookie: sessionkey=path=/evil;domain=good.com");
27+
echo <<<XML
28+
<?xml version="1.0" encoding="UTF-8"?>
29+
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="test-uri">
30+
<SOAP-ENV:Body>
31+
<ns1:testResponse/>
32+
</SOAP-ENV:Body>
33+
</SOAP-ENV:Envelope>
34+
XML;
35+
PHP;
36+
37+
php_cli_server_start($code, null, $args);
38+
39+
$client = new SoapClient(null, [
40+
'location' => 'http://' . PHP_CLI_SERVER_ADDRESS . '/test/endpoint',
41+
'uri' => 'test-uri',
42+
'trace' => true,
43+
]);
44+
45+
try {
46+
$client->__soapCall("test", []);
47+
} catch (SoapFault $e) {
48+
// Response parsing may fault, cookies are still stored
49+
}
50+
51+
$cookies = $client->__getCookies();
52+
53+
// path should default to "/test" from the request URI, not "/evil" from the value.
54+
echo "value: " . $cookies['sessionkey'][0] . "\n";
55+
echo "path: " . $cookies['sessionkey'][1] . "\n";
56+
echo "domain: " . $cookies['sessionkey'][2] . "\n";
57+
?>
58+
--EXPECT--
59+
value: path=/evil
60+
path: /test
61+
domain: good.com

0 commit comments

Comments
 (0)