Fix Soap leaking http_msg on error

Testing all cases is not so easy to do as we would need a server that
redirects from e.g. http to https while SSL is not available.

Closes GH-

Fix Soap leaking http_msg on error

Testing all cases is not so easy to do as we would need a server that
redirects from e.g. http to https while SSL is not available.

Closes GH-16254.

show more ...

Fix bug #73182: PHP SOAPClient does not support stream context HTTP headers in array form

This code is modelled after how `http_fopen_wrapper.c` does things,
which apparently is just loo

Fix bug #73182: PHP SOAPClient does not support stream context HTTP headers in array form

This code is modelled after how `http_fopen_wrapper.c` does things,
which apparently is just looping over the array and handling each string
the same way as if we passed a header string directly.

Also fixes a potential crash in `php_sdl.c` but without adding support
for header arrays there (yet) because the code is untested.

Closes GH-15817.

show more ...

Fix bug #55639: Digest autentication dont work

RFC 2617 and 7616 describe that for the "Authorization" header we should
not put the qop nor nc value inside quotes. This differs from the

Fix bug #55639: Digest autentication dont work

RFC 2617 and 7616 describe that for the "Authorization" header we should
not put the qop nor nc value inside quotes. This differs from the
WWW-Authenticate header, which may have been the source of the confusion
in the implementation. While the version with quotes seems to work fine
in some cases, clearly not all servers accept the non-standard form.
To fix the issue, simply removing the quotes of those two header fields
of the client request to be in line with the RFC suffices.

I refer further to example 3.5 in RFC 2617 and example 3.9.1 in
RFC 7616.

RFC 2617: https://datatracker.ietf.org/doc/html/rfc2617
RFC 7616: https://datatracker.ietf.org/doc/html/rfc7616

Closes GH-14328.

show more ...

Fix bug #76232: SoapClient Cookie Header Semicolon

According to RFC 6265 [1] the cookies must be separated by "; " not ";",
and it must not end with ";".

[1] https://datatracker

Fix bug #76232: SoapClient Cookie Header Semicolon

According to RFC 6265 [1] the cookies must be separated by "; " not ";",
and it must not end with ";".

[1] https://datatracker.ietf.org/doc/html/rfc6265

Closes GH-14406.

show more ...

Fix bug #47925 again (#14348)

The naming of the userland functions is terrible and confused me.
gzdecode() is actually the function to decompress a gzip stream, and
gzuncompress() is

Fix bug #47925 again (#14348)

The naming of the userland functions is terrible and confused me.
gzdecode() is actually the function to decompress a gzip stream, and
gzuncompress() is the one to decompress a deflate stream...
See zlib.c to see the internal function -> type mapping.

show more ...

Fix bug #47925: PHPClient can't decompress response (transposed uncompress methods?)

The incorrect functions are being called to deal with incoming
compressed data.
gzip/x-gzip corre

Fix bug #47925: PHPClient can't decompress response (transposed uncompress methods?)

The incorrect functions are being called to deal with incoming
compressed data.
gzip/x-gzip corresponds to gzuncompress(), while deflate corresponds to
gzinflate().

The existing code for gzip compression also plays with removing the
first 10 bytes (i.e. the gzip header) to pass it to the inflate
implementation but that doesn't always work properly due to trailer
data. Get rid of that entirely by using the correct functions.

Closes GH-14321.

show more ...

random: Move CSPRNG API into php_random_csprng.h (#13290)

This allows consumers of just the CSPRNG to include a much smaller header. It
also allows to verify at a glance whether a source

random: Move CSPRNG API into php_random_csprng.h (#13290)

This allows consumers of just the CSPRNG to include a much smaller header. It
also allows to verify at a glance whether a source file might use non-secure
randomness.

This commit includes the new header wherever the CSPRNG is used, possibly
replacing the inclusion of php_random.h if nothing else is used, but also
includes it in the main php_random.h header for compatibility.

Somewhat related to 45f8cfaf104f504340b0073b9736bb50a88d70a1,
2b30f18708b4f73d2c1d29d3a92a606ebdc5ac4c, and
b14dd85dca3b67a5462f5ed9b6aa0dc22beb615c.

show more ...

Fix #49278: SoapClient::__getLastResponseHeaders returns NULL if wsdl operation !has output

Instead of early exiting, process the headers if tracing is enabled, and
exit after that.

Fix #49278: SoapClient::__getLastResponseHeaders returns NULL if wsdl operation !has output

Instead of early exiting, process the headers if tracing is enabled, and
exit after that.

Closes GH-12609.

show more ...

Fix wrong backporting of previous soap patch

Fix GH-11382 add missing hash header for bin2hex

Fix missing randomness check and insufficient random bytes for SOAP HTTP Digest

If php_random_bytes_throw fails, the nonce will be uninitialized, but
still sent to the server. The client

Fix missing randomness check and insufficient random bytes for SOAP HTTP Digest

If php_random_bytes_throw fails, the nonce will be uninitialized, but
still sent to the server. The client nonce is intended to protect
against a malicious server. See section 5.10 and 5.12 of RFC 7616 [1],
and bullet point 2 below.

Tim pointed out that even though it's the MD5 of the nonce that gets sent,
enumerating 31 bits is trivial. So we have still a stack information leak
of 31 bits.

Furthermore, Tim found the following issues:
* The small size of cnonce might cause the server to erroneously reject
a request due to a repeated (cnonce, nc) pair. As per the birthday
problem 31 bits of randomness will return a duplication with 50%
chance after less than 55000 requests and nc always starts counting at 1.
* The cnonce is intended to protect the client and password against a
malicious server that returns a constant server nonce where the server
precomputed a rainbow table between passwords and correct client response.
As storage is fairly cheap, a server could precompute the client responses
for (a subset of) client nonces and still have a chance of reversing the
client response with the same probability as the cnonce duplication.

Precomputing the rainbow table for all 2^31 cnonces increases the rainbow
table size by factor 2 billion, which is infeasible. But precomputing it
for 2^14 cnonces only increases the table size by factor 16k and the server
would still have a 10% chance of successfully reversing a password with a
single client request.

This patch fixes the issues by increasing the nonce size, and checking
the return value of php_random_bytes_throw(). In the process we also get
rid of the MD5 hashing of the nonce.

[1] RFC 7616: https://www.rfc-editor.org/rfc/rfc7616

Co-authored-by: Tim Düsterhus <timwolla@php.net>

show more ...

Implement Random Extension

https://wiki.php.net/rfc/rng_extension
https://wiki.php.net/rfc/random_extension_improvement

Use more compact representation for packed arrays.

- for packed arrays we store just an array of zvals without keys.
- the elements of packed array are accessible throuf as ht->arPacked[

Use more compact representation for packed arrays.

- for packed arrays we store just an array of zvals without keys.
- the elements of packed array are accessible throuf as ht->arPacked[i]
instead of ht->arData[i]
- in addition to general ZEND_HASH_FOREACH_* macros, we introduced similar
familied for packed (ZEND_HASH_PACKED_FORECH_*) and real hashes
(ZEND_HASH_MAP_FOREACH_*)
- introduced an additional family of macros to access elements of array
(packed or real hashes) ZEND_ARRAY_ELEMET_SIZE, ZEND_ARRAY_ELEMET_EX,
ZEND_ARRAY_ELEMET, ZEND_ARRAY_NEXT_ELEMENT, ZEND_ARRAY_PREV_ELEMENT
- zend_hash_minmax() prototype was changed to compare only values

Because of smaller data set, this patch may show performance improvement
on some apps and benchmarks that use packed arrays. (~1% on PHP-Parser)

TODO:
- sapi/phpdbg needs special support for packed arrays (WATCH_ON_BUCKET).
- zend_hash_sort_ex() may require converting packed arrays to hash.

show more ...

Slightly clean up cookies handling

Make the property always an array with an empty array default.
Properly separate the array on modification to compensate.

Fix missing string copy

I changed this to a zend_string_copy, but that's not correct in
this case, as we still append to the string below.

Also fix a test on 32-bit.

Move derefs into accessor macros

These derefs are mostly there to be defensive, but clutter the
code somewhat. Move them directly into the access macros.

Declare remaining SoapClient properties

Use separate property to request digit auth

Currently, _digest is used both to request that digest auth be
used (_digest == null) and to later store the _digest parameters.

This

Use separate property to request digit auth

Currently, _digest is used both to request that digest auth be
used (_digest == null) and to later store the _digest parameters.

This relies on the ability to distinguish between _digest being
null and it being not set, which is not present with declared
properties. (Well, technically it is, we could just leave it
uninitialized, but that would be non-idiomatic.)

Resolve this by splitting into separate _use_digest and _digest
properties.

show more ...

Declare some SoapClient properties

This is only a subset of all properties for now (those without
underscore).

Fixed some spaces used instead of tabs

Update http->https in license (#6945)

1. Update: http://www.php.net/license/3_01.txt to https, as there is anyway server header "Location:" to https.
2. Update few license 3.0 to 3.01 as

Update http->https in license (#6945)

1. Update: http://www.php.net/license/3_01.txt to https, as there is anyway server header "Location:" to https.
2. Update few license 3.0 to 3.01 as 3.0 states "php 5.1.1, 4.1.1, and earlier".
3. In some license comments is "at through the world-wide-web" while most is without "at", so deleted.
4. fixed indentation in some files before |

show more ...

Use zend_string_equals() API instead of strcmp() in SOAP extension

Replace zend_bool uses with bool

We're starting to see a mix between uses of zend_bool and bool.
Replace all usages with the standard bool type everywhere.

Of course, zend_bool

Replace zend_bool uses with bool

We're starting to see a mix between uses of zend_bool and bool.
Replace all usages with the standard bool type everywhere.

Of course, zend_bool is retained as an alias.

show more ...

ext/soap: Compare Set-Cookie header case-insensitively

Closes GH-6143.

Fix #47021: SoapClient stumbles over WSDL delivered with "Transfer-Encoding: chunked"