Fix wrong backporting of previous soap patch

Fix GH-11382 add missing hash header for bin2hex

Fix missing randomness check and insufficient random bytes for SOAP HTTP Digest

If php_random_bytes_throw fails, the nonce will be uninitialized, but
still sent to the server. The client

Fix missing randomness check and insufficient random bytes for SOAP HTTP Digest

If php_random_bytes_throw fails, the nonce will be uninitialized, but
still sent to the server. The client nonce is intended to protect
against a malicious server. See section 5.10 and 5.12 of RFC 7616 [1],
and bullet point 2 below.

Tim pointed out that even though it's the MD5 of the nonce that gets sent,
enumerating 31 bits is trivial. So we have still a stack information leak
of 31 bits.

Furthermore, Tim found the following issues:
* The small size of cnonce might cause the server to erroneously reject
a request due to a repeated (cnonce, nc) pair. As per the birthday
problem 31 bits of randomness will return a duplication with 50%
chance after less than 55000 requests and nc always starts counting at 1.
* The cnonce is intended to protect the client and password against a
malicious server that returns a constant server nonce where the server
precomputed a rainbow table between passwords and correct client response.
As storage is fairly cheap, a server could precompute the client responses
for (a subset of) client nonces and still have a chance of reversing the
client response with the same probability as the cnonce duplication.

Precomputing the rainbow table for all 2^31 cnonces increases the rainbow
table size by factor 2 billion, which is infeasible. But precomputing it
for 2^14 cnonces only increases the table size by factor 16k and the server
would still have a 10% chance of successfully reversing a password with a
single client request.

This patch fixes the issues by increasing the nonce size, and checking
the return value of php_random_bytes_throw(). In the process we also get
rid of the MD5 hashing of the nonce.

[1] RFC 7616: https://www.rfc-editor.org/rfc/rfc7616

Co-authored-by: Tim Düsterhus <timwolla@php.net>

show more ...

Slightly clean up cookies handling

Make the property always an array with an empty array default.
Properly separate the array on modification to compensate.

Fix missing string copy

I changed this to a zend_string_copy, but that's not correct in
this case, as we still append to the string below.

Also fix a test on 32-bit.

Move derefs into accessor macros

These derefs are mostly there to be defensive, but clutter the
code somewhat. Move them directly into the access macros.

Declare remaining SoapClient properties

Use separate property to request digit auth

Currently, _digest is used both to request that digest auth be
used (_digest == null) and to later store the _digest parameters.

This

Use separate property to request digit auth

Currently, _digest is used both to request that digest auth be
used (_digest == null) and to later store the _digest parameters.

This relies on the ability to distinguish between _digest being
null and it being not set, which is not present with declared
properties. (Well, technically it is, we could just leave it
uninitialized, but that would be non-idiomatic.)

Resolve this by splitting into separate _use_digest and _digest
properties.

show more ...

Declare some SoapClient properties

This is only a subset of all properties for now (those without
underscore).

Fixed some spaces used instead of tabs

Update http->https in license (#6945)

1. Update: http://www.php.net/license/3_01.txt to https, as there is anyway server header "Location:" to https.
2. Update few license 3.0 to 3.01 as

Update http->https in license (#6945)

1. Update: http://www.php.net/license/3_01.txt to https, as there is anyway server header "Location:" to https.
2. Update few license 3.0 to 3.01 as 3.0 states "php 5.1.1, 4.1.1, and earlier".
3. In some license comments is "at through the world-wide-web" while most is without "at", so deleted.
4. fixed indentation in some files before |

show more ...

Use zend_string_equals() API instead of strcmp() in SOAP extension

Replace zend_bool uses with bool

We're starting to see a mix between uses of zend_bool and bool.
Replace all usages with the standard bool type everywhere.

Of course, zend_bool

Replace zend_bool uses with bool

We're starting to see a mix between uses of zend_bool and bool.
Replace all usages with the standard bool type everywhere.

Of course, zend_bool is retained as an alias.

show more ...

Merge branch 'PHP-7.4'

* PHP-7.4:
ext/soap: Compare Set-Cookie header case-insensitively

Merge branch 'PHP-7.3' into PHP-7.4

* PHP-7.3:
ext/soap: Compare Set-Cookie header case-insensitively

ext/soap: Compare Set-Cookie header case-insensitively

Closes GH-6143.

Merge branch 'PHP-7.4'

* PHP-7.4:
Fix #47021: SoapClient stumbles over WSDL delivered with "Transfer-Encoding: chunked"

Merge branch 'PHP-7.3' into PHP-7.4

* PHP-7.3:
Fix #47021: SoapClient stumbles over WSDL delivered with "Transfer-Encoding: chunked"

Fix #47021: SoapClient stumbles over WSDL delivered with "Transfer-Encoding: chunked"

Remove mention of PHP major version in Copyright headers

Closes GH-4732.

Report errors from stream read and write operations

The php_stream_read() and php_stream_write() functions now return
an ssize_t value, with negative results indicating failure. Function

Report errors from stream read and write operations

The php_stream_read() and php_stream_write() functions now return
an ssize_t value, with negative results indicating failure. Functions
like fread() and fwrite() will return false in that case.

As a special case, EWOULDBLOCK and EAGAIN on non-blocking streams
should not be regarded as error conditions, and be reported as
successful zero-length reads/writes instead. The handling of EINTR
remains unclear and is internally inconsistent (e.g. some code-paths
will automatically retry on EINTR, while some won't).

I'm landing this now to make sure the stream wrapper ops API changes
make it into 7.4 -- however, if the user-facing changes turn out to
be problematic we have the option of clamping negative returns to
zero in php_stream_read() and php_stream_write() to restore the
old behavior in a relatively non-intrusive manner.

show more ...

Use ZEND_HASH_FOREACH APIs in a few more places

Merge branch 'PHP-7.2' into PHP-7.3

Support content_type stream context option in soap

Allows overriding the HTTP header using the HTTP context:

$client = new SoapClient('http://url.wsdl&v=latest', [
'st

Support content_type stream context option in soap

Allows overriding the HTTP header using the HTTP context:

$client = new SoapClient('http://url.wsdl&v=latest', [
'stream_context' => stream_context_create([
'http' => [
'content_type' => 'foobarX',
],
]),
]);

This is a backport of c55af3c65ac116bbd935bd3d695869d88056c49c
to the PHP 7.2 branch.

show more ...

Support content_type stream context option in soap

Allows overriding the HTTP header using the HTTP context:

$client = new SoapClient('http://url.wsdl&v=latest', [
'st

Support content_type stream context option in soap

Allows overriding the HTTP header using the HTTP context:

$client = new SoapClient('http://url.wsdl&v=latest', [
'stream_context' => stream_context_create([
'http' => [
'content_type' => 'foobarX',
],
]),
]);

show more ...