php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70993 Array key references break argument processing
Submitted: 2015-11-29 04:35 UTC Modified: 2016-11-30 03:32 UTC
From: php at ontheroad dot net dot nz Assigned: laruence
Status: Closed Package: SOAP related
PHP Version: 7.0.0RC8 OS: Ubuntu 14.04
Private report: No CVE-ID:
 [2015-11-29 04:35 UTC] php at ontheroad dot net dot nz
Description:
------------
Using references to array keys in arguments to SOAP calls seems to break the argument processing of SOAP arguments.  This works fine in PHP 5.5 but breaks in PHP 7.0.0RC8.

PHP7.0.0RC8 configuration
 
'./configure'  '--prefix=/usr/local/php7' '--with-config-file-scan-dir=/usr/local/php7/etc/conf.d' '--enable-bcmath' '--with-bz2' '--enable-calendar' '--enable-intl' '--enable-exif' '--enable-dba' '--enable-ftp' '--with-gettext' '--with-gd' '--with-jpeg-dir' '--enable-mbstring' '--with-mcrypt' '--with-mhash' '--enable-mysqlnd' '--with-mysql=mysqlnd' '--with-mysql-sock=/var/run/mysqld/mysqld.sock' '--with-mysqli=mysqlnd' '--with-pdo-mysql=mysqlnd' '--with-openssl' '--enable-pcntl' '--with-pspell' '--enable-shmop' '--enable-soap' '--enable-sockets' '--enable-sysvmsg' '--enable-sysvsem' '--enable-sysvshm' '--enable-wddx' '--with-zlib' '--enable-zip' '--with-readline' '--with-curl' '--enable-fpm' '--with-fpm-user=www-data' '--with-fpm-group=www-data

No modifications to php.ini.

The web services in question are not public, so I can't provide a completely working example, however it seems like the behaviour should be independent of the service itself (although possibly it does somehow depend on the service definition) and it may not be related to SOAP at all, but this is the situation in which I've seen it.

The example provides two SoapClient children which pre-process the arguments given.  Both do the same thing, but one creates assigns a variable with a reference while one assigns a variable without.  The only difference is the reference assignment, but the one with the reference ends up not processing the arguments at all and passing a request without arguments.

The key line in the example is 32 (https://gist.github.com/anonymous/6d20b14d0f5fedbc04ca#file-example-php-L32bug-example-L17), where we assign a reference to $params[0]; the array index already exists, so it's not created by the assignment, but we can see on line 18 (https://gist.github.com/anonymous/6d20b14d0f5fedbc04ca#file-example-php-L18) that the SoapClientFine class does exactly the same but without a reference and it works OK.

Recompiling with --enable-debug and running valgrind as described in https://bugs.php.net/bugs-getting-valgrind-log.php shows no difference between runs with the SoapClientFine and with the SoapClientBroken (0 definitely/indirectly/possibly lost, 54 blocks still reachable).

Test script:
---------------
Example is at https://gist.github.com/anonymous/6d20b14d0f5fedbc04ca
Expected/Actual results are at https://gist.github.com/anonymous/c7bd9d0cf1c4246beb69 due to spam detection not letting me include it below.

Expected result:
----------------
See https://gist.github.com/anonymous/c7bd9d0cf1c4246beb69

Actual result:
--------------
See https://gist.github.com/anonymous/c7bd9d0cf1c4246beb69

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-11-29 15:24 UTC] laruence@php.net
-Assigned To: +Assigned To: laruence
 [2015-11-29 15:24 UTC] laruence@php.net
I can not produce this, so I only can give a guess, could you please try to verify whether this fix works?
diff --git a/ext/soap/soap.c b/ext/soap/soap.c
index 4c746aa..219169d 100644
--- a/ext/soap/soap.c
+++ b/ext/soap/soap.c
@@ -2940,6 +2940,7 @@ PHP_METHOD(SoapClient, __call)
 	if (arg_count > 0) {
 		real_args = safe_emalloc(sizeof(zval), arg_count, 0);
 		ZEND_HASH_FOREACH_VAL(Z_ARRVAL_P(args), param) {
+			ZVAL_DEREF(param);
 			/*zval_add_ref(param);*/
 			ZVAL_COPY_VALUE(&real_args[i], param);
 			i++;
 [2015-11-29 15:25 UTC] laruence@php.net
-Status: Assigned +Status: Feedback
 [2015-11-30 01:33 UTC] php at ontheroad dot net dot nz
Yes, your patch does resolve the problem for me.  Thanks for such a quick response and my apologies for not being able to give a more reproducible test case for you (but good guess).
 [2015-11-30 02:50 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5df6f9f20ee571caf30c005fc2eae5eb780ba002
Log: Fixed bug #70993 (Array key references break argument processing)
 [2015-11-30 02:50 UTC] laruence@php.net
-Status: Feedback +Status: Closed
 [2016-01-25 08:45 UTC] eli dot demayo at gmail dot com
We are still encountering this issue even on PHP 7.0.1 and PHP 7.0.2.
We're using SalesForce PHP Toolkit (https://github.com/developerforce/Force.com-Toolkit-for-PHP). You can see in SforceEnterpriseClient.php (https://github.com/developerforce/Force.com-Toolkit-for-PHP/blob/master/soapclient/SforceEnterpriseClient.php#L53) that they are using references to array keys and that cause the request to go out with no arguments.
Removing the references solves the problem.
 [2016-06-01 12:10 UTC] e at eriktelford dot net
Same issue here.
 [2016-07-20 11:35 UTC] davey@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5df6f9f20ee571caf30c005fc2eae5eb780ba002
Log: Fixed bug #70993 (Array key references break argument processing)
 [2016-11-30 03:32 UTC] php at ontheroad dot net dot nz
Original submitter here: I've just seem the same problem crop up again; is there a chance that this fix has been reverted?  The affected versions are "7.0.8-0ubuntu0.16.04.3 (cli) ( NTS )" (ubuntu) and "PHP 7.0.13 (cli) (built: Nov 18 2016 01:43:37)" (amazon linux).
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Thu Jul 20 18:01:35 2017 UTC