php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #44882 SOAP extension object decoding bug
Submitted: 2008-05-01 18:02 UTC Modified: 2008-11-27 14:50 UTC
Votes:14
Avg. Score:4.9 ± 0.3
Reproduced:14 of 14 (100.0%)
Same Version:9 (64.3%)
Same OS:13 (92.9%)
From: mike at silverorange dot com Assigned: dmitry
Status: Closed Package: SOAP related
PHP Version: 5.2.5 OS: *
Private report: No CVE-ID:
 [2008-05-01 18:02 UTC] mike at silverorange dot com
Description:
------------
When decoding a SOAP response into zvals, the decoder sometimes gets confused decoding objects. We noticed this using the PayPal Express Checkout SOAP API.

For one request type, the returned XML was correct; however, the decoded PHP objects that were returned were incorrect. One value that should have been a string was a string reference and an object that should have been an object was as string.

Upon further investigation, we found other users had been experiencing this specific problem using PayPal's SOAP API with PHP since PHP 5.2.2.

After a bit of CVS research, it seems the bug was introduced in 1.103.2.21.2.27 in soap_encoding.c to fix bug #37013.

The patch at http://labs.silverorange.com/files/php-patches/soap-object-reference-bug-20080501.patch works around the bug for our needs, but it does not fix the underlying problem and probably reintroduces #37013.

Reproduce code:
---------------
I can't provide a runnable test case unless you have PayPal developer API credentials. If so, you can run the unit tests in the package at:

http://labs.silverorange.com/files/Payment_PayPal_Soap/Payment_PayPal_Soap-0.0.4.tgz

The second test will fail if the bug is present and pass if the bug is fixed.

I've attached a var_dump of broken an working SOAP results to illustrate the broken 'PayerInfo' element parsing.

Expected result:
----------------
object(stdClass)#114 (6) {
  ["Timestamp"]=>
  string(20) "2008-05-01T17:41:45Z"
  ["Ack"]=>
  string(7) "Success"
  ["CorrelationID"]=>
  string(13) "9d6aa8c0309df"
  ["Version"]=>
  string(8) "1.000000"
  ["Build"]=>
  string(6) "548868"
  ["GetExpressCheckoutDetailsResponseDetails"]=>
  object(stdClass)#113 (2) {
    ["Token"]=>
    string(20) "EC-6AU15743MX2745842"
    ["PayerInfo"]=>
    object(stdClass)#112 (6) {
      ["Payer"]=>
      string(0) ""
      ["PayerID"]=>
      string(0) ""
      ["PayerStatus"]=>
      string(10) "unverified"
      ["PayerName"]=>
      object(stdClass)#110 (5) {
        ["Salutation"]=>
        string(0) ""
        ["FirstName"]=>
        string(0) ""
        ["MiddleName"]=>
        string(0) ""
        ["LastName"]=>
        string(0) ""
        ["Suffix"]=>
        string(0) ""
      }
      ["PayerBusiness"]=>
      string(0) ""
      ["Address"]=>
      object(stdClass)#111 (9) {
        ["Name"]=>
        string(0) ""
        ["Street1"]=>
        string(0) ""
        ["Street2"]=>
        string(0) ""
        ["CityName"]=>
        string(0) ""
        ["StateOrProvince"]=>
        string(0) ""
        ["CountryName"]=>
        string(0) ""
        ["PostalCode"]=>
        string(0) ""
        ["AddressOwner"]=>
        string(6) "PayPal"
        ["AddressStatus"]=>
        string(4) "None"
      }
    }
  }
}

Actual result:
--------------
object(stdClass)#114 (6) {
  ["Timestamp"]=>
  string(20) "2008-05-01T17:56:31Z"
  ["Ack"]=>
  string(7) "Success"
  ["CorrelationID"]=>
  string(13) "233fdab3c0758"
  ["Version"]=>
  string(8) "1.000000"
  ["Build"]=>
  string(6) "548868"
  ["GetExpressCheckoutDetailsResponseDetails"]=>
  object(stdClass)#113 (2) {
    ["Token"]=>
    &string(20) "EC-8JA130819B922424F"
    ["PayerInfo"]=>
    string(20) "EC-8JA130819B922424F"
  }
}

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-06-23 15:23 UTC] anomie at users dot sf dot net
Here is a test case that illustrates the bug, using the same technique the ext/soap test cases in the PHP distribution use. Please excuse the big block-o-base64, the namespace URIs in the XML were apparently triggering your spam filter.

<?php

class TestSoapClient extends SoapClient {
	public function __doRequest($req, $loc, $act, $ver, $oneway){
		$data=<<<EOF
nZdbd9o4EIDf8ys49BlkQ7IBH0KXOOluzoaEU0i33Zc9ij0k2tgWleQA++s7snzBlxQ3vCRIM99c
NRKTj7sw6LyCkIxHF127b3U7EHncZ9HTRfdh9ak36n6cnkyW97NF7/rui3MdvULAN9BBvUg62fpF
91mpjUOI9J4hpLKP25LTTZ+LJ6L/IZAqkm5Z1W2jahzKVXeS5Vrb7ba/HSbCA8uyydf57TIB9Vgk
FY08KLT841qFcHtZz7voxiJy4JHuHbph0nG5AJeHGx5BpFb7DchMdivjnwa8ldrIgFjnJFYsYGqf
aUoaBsYOpxJtRDQE6SjPWc7mtw5WzqFSglBYyEzFfysIi1hjgjK+ZE8fMumQihdQ1VDmyWomQ2NP
JZ1SFpqZ5dxV9j/IZ7YpizkLul/QYLa4IZlAH2uSK9UUzFq+/4J5rAnoxSK3Elol1x4QCR7s8rDg
MaiS4fL2ksqiinkFI/lWWN3pSadTHJU/gfog9JpeBS8WWE0D+WUvJXNUEr6O0clgurO6JLXwGb7H
IBUIV4CPDjMayMzaG/4ecDEDjhtLxcMMbtxPTBgLaOMIujlrJRsP2KI3/gJbdcuFX6IjX+/qvj5Q
2mGRlcDTnwWaCGaAo4LL+PE/8NTP5SbkILA0naQpn0mBSUOFi6pfcn/fYThp/rXSyCZ/gLrebQRI
6T6D98JjdQWKskB+BolpknCkTLmbK4ZHXtFw0zb5U2ykUc/6rTcYruxT58x2rNE/E5JzpicZeua9
tIYuY8/DYCYElYrW4EJAQPUYuLlqjaJg2UNqeZ6/todYhkNIjv5irqfW0DOrbyWfCUlVc9RlzAK/
PWg0Gp4iJdHKGUfLmX595wlpi6+enRV/gajCqoASEaN37fZs+9v5mT08Xw2G4/H4bOBiY2iB0jHb
43GN1rzCzdcrTmQqVTdCdHjm+9oXowE77L4Afk//9j0eTkiiWofpdqrPkCsDmj+MBn/PToffvs7H
boooWqeALBVVsayHgUdM48y2y30wWHwRsTUDPyWa7Tr1rjyrEiZ2HI/0Ri03ekzQIFZJf7ftDlIh
fGJCKmO3ZRdfmxxPSK6aH/uUOWe+H8CvQKte3dL3OpVpVhMVr9ds9y530ppVoaZiLo8jJfbVm8+s
FvV/WKaUdKcOuowli7Cfj91Aeraazq/YLJ2HcvB3b12BWdo6efqayrlUAkDZzQR7MMy0O0uFl5kR
njYhBseD05MfHwtHPcbZnorVLFEF92Ih+CvDx3ozZPaXdrQkWHWifV0bSloAEg8fIqbA7yQWZa7Q
lOoFx3s00Pxmx8f6g62Ui1Wspk1wv41qQ/NwqwjAjCy8eg92m5mNE6+0V1BdHq2ZCPW8K0mUj1W6
dXA/kPwiKJ5Sbe+v7J11VD7J+cGrS7+w8Ccpqf0mnZ78AA==
EOF;
		return gzinflate(base64_decode($data));
	}
}

$client=new TestSoapClient("https://www.paypal.com/wsdl/PayPalSvc.wsdl");
var_dump($client->GetExpressCheckoutDetails(array('GetExpressCheckoutDetailsRequest'=>array('Version'=>50.0,'Token'=>'dummy'))));

?>
 [2008-10-01 20:27 UTC] mike at silverorange dot com
I've moved the test provided by anomie into a phpt file at http://labs.silverorange.com/files/php-bug44882/. The WSDL file is not included locally as it is the copyrighted work of PayPal.

The test passes using the associated patch but fails against the latest snapshot (5.2-200810011830).

What else is needed to get this bug fixed?
 [2008-10-21 11:35 UTC] jani@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/


 [2008-10-21 12:39 UTC] mike at silverorange dot com
The test still fails using the 5.2-200810211030 snapshot.
 [2008-11-07 16:12 UTC] anomie at users dot sf dot net
Still fails in php5.2-200811071330.tar.bz2.
 [2008-11-07 16:45 UTC] anomie at users dot sf dot net
I did a little digging for you PHP devs. What happens here is:

1. Something does a first pass through the soap xml response.
1a. For each node, a zval is allocated.
1b. soap_check_xml_ref saves the pointer to the allocated zval for each node.

2. Sometime after this, all those zvals from the first pass get freed.

3. Something does a second pass through the soap xml response.
3a. For each node, a zval is allocated. If we're lucky, the allocated zval is at the same address as during the first pass and nothing overwrote that memory in the mean time.
3b. soap_check_xml_ref tries to reuse the saved zval pointer for each node. If we got lucky in 3a, it seems to work fine. If we're unlucky, it now uses the wrong zval or something that's not a zval at all.
 [2008-11-17 14:03 UTC] tony2001@php.net
Assigned to the extension maintainer.
 [2008-11-27 14:50 UTC] dmitry@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 23 14:02:33 2014 UTC