#
32c7c433 |
| 06-Jun-2023 |
Pierrick Charron |
Fix wrong backporting of previous soap patch
|
#
05724482 |
| 06-Jun-2023 |
Remi Collet |
Fix GH-11382 add missing hash header for bin2hex
|
#
ac4254ad |
| 16-Apr-2023 |
Niels Dossche <7771979+nielsdos@users.noreply.github.com> |
Fix missing randomness check and insufficient random bytes for SOAP HTTP Digest If php_random_bytes_throw fails, the nonce will be uninitialized, but still sent to the server. The client
Fix missing randomness check and insufficient random bytes for SOAP HTTP Digest If php_random_bytes_throw fails, the nonce will be uninitialized, but still sent to the server. The client nonce is intended to protect against a malicious server. See section 5.10 and 5.12 of RFC 7616 [1], and bullet point 2 below. Tim pointed out that even though it's the MD5 of the nonce that gets sent, enumerating 31 bits is trivial. So we have still a stack information leak of 31 bits. Furthermore, Tim found the following issues: * The small size of cnonce might cause the server to erroneously reject a request due to a repeated (cnonce, nc) pair. As per the birthday problem 31 bits of randomness will return a duplication with 50% chance after less than 55000 requests and nc always starts counting at 1. * The cnonce is intended to protect the client and password against a malicious server that returns a constant server nonce where the server precomputed a rainbow table between passwords and correct client response. As storage is fairly cheap, a server could precompute the client responses for (a subset of) client nonces and still have a chance of reversing the client response with the same probability as the cnonce duplication. Precomputing the rainbow table for all 2^31 cnonces increases the rainbow table size by factor 2 billion, which is infeasible. But precomputing it for 2^14 cnonces only increases the table size by factor 16k and the server would still have a 10% chance of successfully reversing a password with a single client request. This patch fixes the issues by increasing the nonce size, and checking the return value of php_random_bytes_throw(). In the process we also get rid of the MD5 hashing of the nonce. [1] RFC 7616: https://www.rfc-editor.org/rfc/rfc7616 Co-authored-by: Tim Düsterhus <timwolla@php.net>
show more ...
|
Revision tags: php-8.1.7RC1, php-8.1.4RC1, php-8.1.3, php-8.1.2RC1, php-8.1.0, php-7.3.33, php-7.3.32, php-7.3.31, php-7.3.30 |
|
#
841d0b30 |
| 20-Aug-2021 |
Nikita Popov |
Slightly clean up cookies handling Make the property always an array with an empty array default. Properly separate the array on modification to compensate. |
#
de6cf68a |
| 20-Aug-2021 |
Nikita Popov |
Fix missing string copy I changed this to a zend_string_copy, but that's not correct in this case, as we still append to the string below. Also fix a test on 32-bit. |
#
50484b59 |
| 20-Aug-2021 |
Nikita Popov |
Move derefs into accessor macros These derefs are mostly there to be defensive, but clutter the code somewhat. Move them directly into the access macros. |
#
e6c6abf6 |
| 19-Aug-2021 |
Nikita Popov |
Declare remaining SoapClient properties |
#
aa4898ef |
| 20-Aug-2021 |
Nikita Popov |
Use separate property to request digit auth Currently, _digest is used both to request that digest auth be used (_digest == null) and to later store the _digest parameters. This
Use separate property to request digit auth Currently, _digest is used both to request that digest auth be used (_digest == null) and to later store the _digest parameters. This relies on the ability to distinguish between _digest being null and it being not set, which is not present with declared properties. (Well, technically it is, we could just leave it uninitialized, but that would be non-idiomatic.) Resolve this by splitting into separate _use_digest and _digest properties.
show more ...
|
#
018cb891 |
| 19-Aug-2021 |
Nikita Popov |
Declare some SoapClient properties This is only a subset of all properties for now (those without underscore). |
Revision tags: php-7.3.29 |
|
#
aff36587 |
| 29-Jun-2021 |
Patrick Allaert |
Fixed some spaces used instead of tabs |
#
01b3fc03 |
| 06-May-2021 |
KsaR |
Update http->https in license (#6945) 1. Update: http://www.php.net/license/3_01.txt to https, as there is anyway server header "Location:" to https. 2. Update few license 3.0 to 3.01 as
Update http->https in license (#6945) 1. Update: http://www.php.net/license/3_01.txt to https, as there is anyway server header "Location:" to https. 2. Update few license 3.0 to 3.01 as 3.0 states "php 5.1.1, 4.1.1, and earlier". 3. In some license comments is "at through the world-wide-web" while most is without "at", so deleted. 4. fixed indentation in some files before |
show more ...
|
Revision tags: php-7.3.28 |
|
#
84e12626 |
| 17-Mar-2021 |
George Peter Banyard |
Use zend_string_equals() API instead of strcmp() in SOAP extension |
Revision tags: php-7.3.27 |
|
#
3e01f5af |
| 15-Jan-2021 |
Nikita Popov |
Replace zend_bool uses with bool We're starting to see a mix between uses of zend_bool and bool. Replace all usages with the standard bool type everywhere. Of course, zend_bool
Replace zend_bool uses with bool We're starting to see a mix between uses of zend_bool and bool. Replace all usages with the standard bool type everywhere. Of course, zend_bool is retained as an alias.
show more ...
|
Revision tags: php-7.3.26, php-7.3.26RC1, php-7.3.25, php-7.3.25RC1, php-7.3.24, php-7.3.24RC1, php-7.3.23 |
|
#
e55a6581 |
| 17-Sep-2020 |
Nikita Popov |
Merge branch 'PHP-7.4' * PHP-7.4: ext/soap: Compare Set-Cookie header case-insensitively
|
#
f0d2efba |
| 17-Sep-2020 |
Nikita Popov |
Merge branch 'PHP-7.3' into PHP-7.4 * PHP-7.3: ext/soap: Compare Set-Cookie header case-insensitively
|
#
efc52f17 |
| 16-Sep-2020 |
Gabríel Arthúr Pétursson |
ext/soap: Compare Set-Cookie header case-insensitively Closes GH-6143. |
Revision tags: php-7.3.23RC1, php-7.3.22 |
|
#
cf3fb146 |
| 18-Aug-2020 |
Matteo Beccati |
Merge branch 'PHP-7.4' * PHP-7.4: Fix #47021: SoapClient stumbles over WSDL delivered with "Transfer-Encoding: chunked"
|
#
38771724 |
| 18-Aug-2020 |
Matteo Beccati |
Merge branch 'PHP-7.3' into PHP-7.4 * PHP-7.3: Fix #47021: SoapClient stumbles over WSDL delivered with "Transfer-Encoding: chunked"
|
#
f7c43b8c |
| 18-Aug-2020 |
Matteo Beccati |
Fix #47021: SoapClient stumbles over WSDL delivered with "Transfer-Encoding: chunked" |
Revision tags: php-7.3.22RC1, php-7.3.21, php-7.3.21RC1, php-7.3.20, php-7.3.20RC1, php-7.3.19, php-7.4.7RC1, php-7.3.19RC1, php-7.3.18RC1, php-7.2.30, php-7.3.17, php-7.3.17RC1, php-7.3.18, php-7.3.16, php-7.3.16RC1, php-7.3.15RC1, php-7.3.15, php-7.3.14, php-7.3.14RC1, php-7.3.13, php-7.3.13RC1, php-7.2.26RC1, php-7.4.0, php-7.2.25, php-7.3.12, php-7.4.0RC6, php-7.3.12RC1, php-7.2.25RC1, php-7.4.0RC5, php-7.1.33, php-7.2.24, php-7.3.11, php-7.4.0RC4, php-7.3.11RC1, php-7.2.24RC1, php-7.4.0RC3 |
|
#
5d6e923d |
| 24-Sep-2019 |
Gabriel Caruso |
Remove mention of PHP major version in Copyright headers Closes GH-4732. |
Revision tags: php-7.2.23, php-7.3.10, php-7.4.0RC2, php-7.2.23RC1, php-7.3.10RC1, php-7.4.0RC1, php-7.1.32, php-7.2.22, php-7.3.9, php-7.4.0beta4, php-7.2.22RC1, php-7.3.9RC1, php-7.4.0beta2, php-7.1.31, php-7.2.21, php-7.3.8, php-7.4.0beta1 |
|
#
d59aac58 |
| 18-Jul-2019 |
Nikita Popov |
Report errors from stream read and write operations The php_stream_read() and php_stream_write() functions now return an ssize_t value, with negative results indicating failure. Function
Report errors from stream read and write operations The php_stream_read() and php_stream_write() functions now return an ssize_t value, with negative results indicating failure. Functions like fread() and fwrite() will return false in that case. As a special case, EWOULDBLOCK and EAGAIN on non-blocking streams should not be regarded as error conditions, and be reported as successful zero-length reads/writes instead. The handling of EINTR remains unclear and is internally inconsistent (e.g. some code-paths will automatically retry on EINTR, while some won't). I'm landing this now to make sure the stream wrapper ops API changes make it into 7.4 -- however, if the user-facing changes turn out to be problematic we have the option of clamping negative returns to zero in php_stream_read() and php_stream_write() to restore the old behavior in a relatively non-intrusive manner.
show more ...
|
#
290e520c |
| 16-Jul-2019 |
Nikita Popov |
Use ZEND_HASH_FOREACH APIs in a few more places |
Revision tags: php-7.2.21RC1, php-7.3.8RC1, php-7.4.0alpha3, php-7.3.7, php-7.2.20, php-7.4.0alpha2, php-7.3.7RC3, php-7.3.7RC2, php-7.2.20RC2, php-7.4.0alpha1, php-7.3.7RC1, php-7.2.20RC1, php-7.2.19, php-7.3.6, php-7.1.30 |
|
#
4ebd9a53 |
| 21-May-2019 |
Nikita Popov |
Merge branch 'PHP-7.2' into PHP-7.3
|
Revision tags: php-7.2.19RC1, php-7.3.6RC1, php-7.1.29, php-7.2.18, php-7.3.5 |
|
#
5f8c22d4 |
| 23-Apr-2019 |
Vincent JARDIN |
Support content_type stream context option in soap Allows overriding the HTTP header using the HTTP context: $client = new SoapClient('http://url.wsdl&v=latest', [ 'st
Support content_type stream context option in soap Allows overriding the HTTP header using the HTTP context: $client = new SoapClient('http://url.wsdl&v=latest', [ 'stream_context' => stream_context_create([ 'http' => [ 'content_type' => 'foobarX', ], ]), ]); This is a backport of c55af3c65ac116bbd935bd3d695869d88056c49c to the PHP 7.2 branch.
show more ...
|
#
c55af3c6 |
| 23-Apr-2019 |
Vincent JARDIN |
Support content_type stream context option in soap Allows overriding the HTTP header using the HTTP context: $client = new SoapClient('http://url.wsdl&v=latest', [ 'st
Support content_type stream context option in soap Allows overriding the HTTP header using the HTTP context: $client = new SoapClient('http://url.wsdl&v=latest', [ 'stream_context' => stream_context_create([ 'http' => [ 'content_type' => 'foobarX', ], ]), ]);
show more ...
|