[PHP-BUG] Bug #54911 [NEW]: Access to a undefined member in inherit SoapClient may cause Segmentation Fault
From: Operating system: Linux PHP version: 5.3.6 Package: Reproducible crash Bug Type: Bug Bug description:Access to a undefined member in inherit SoapClient may cause Segmentation Fault Description: If you try to access an undefined variable or constant in an extended SoapClient, it will cause PHP crash due to a Segmentation Fault. Test script: --- '', 'location'=>'')); $client->__soapCall('', array()); ?> Expected result: An error like, Fatal error: Access to undeclared static property: XSoapClient::$crash... Actual result: -- $ sapi/cli/php ../crash.php Segmentation fault # gdb backtrace... Starting program: /home/erik/php-5.3.6/sapi/cli/php ../crash.php [Thread debugging using libthread_db enabled] Program received signal SIGSEGV, Segmentation fault. 0x0843c238 in zval_delref_p (zval_ptr=0xbfffcf68, __zend_filename=0x87cc4e8 "/home/erik/php-5.3.6/Zend/zend_vm_execute.h", __zend_lineno=609) at /home/erik/php-5.3.6/Zend/zend.h:385 385 return --pz->refcount__gc; (gdb) bt #0 0x0843c238 in zval_delref_p (zval_ptr=0xbfffcf68, __zend_filename=0x87cc4e8 "/home/erik/php-5.3.6/Zend/zend_vm_execute.h", __zend_lineno=609) at /home/erik/php-5.3.6/Zend/zend.h:385 #1 _zval_ptr_dtor (zval_ptr=0xbfffcf68, __zend_filename=0x87cc4e8 "/home/erik/php-5.3.6/Zend/zend_vm_execute.h", __zend_lineno=609) at /home/erik/php-5.3.6/Zend/zend_execute_API.c:437 #2 0x08479ff8 in ZEND_HANDLE_EXCEPTION_SPEC_HANDLER (execute_data=0x8920a60) at /home/erik/php-5.3.6/Zend/zend_vm_execute.h:609 #3 0x08478793 in execute (op_array=0x88f2be0) at /home/erik/php-5.3.6/Zend/zend_vm_execute.h:107 #4 0x0844bae6 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /home/erik/php-5.3.6/Zend/zend.c:1194 #5 0x083e102e in php_execute_script (primary_file=0xb324) at /home/erik/php-5.3.6/main/main.c:2268 #6 0x08509d35 in main (argc=2, argv=0xb4b4) at /home/erik/php-5.3.6/sapi/cli/php_cli.c:1193 -- Edit bug report at http://bugs.php.net/bug.php?id=54911&edit=1 -- Try a snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=54911&r=trysnapshot52 Try a snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=54911&r=trysnapshot53 Try a snapshot (trunk): http://bugs.php.net/fix.php?id=54911&r=trysnapshottrunk Fixed in SVN: http://bugs.php.net/fix.php?id=54911&r=fixed Fixed in SVN and need be documented: http://bugs.php.net/fix.php?id=54911&r=needdocs Fixed in release: http://bugs.php.net/fix.php?id=54911&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=54911&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=54911&r=needscript Try newer version: http://bugs.php.net/fix.php?id=54911&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=54911&r=support Expected behavior: http://bugs.php.net/fix.php?id=54911&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=54911&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=54911&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=54911&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=54911&r=php4 Daylight Savings:http://bugs.php.net/fix.php?id=54911&r=dst IIS Stability: http://bugs.php.net/fix.php?id=54911&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=54911&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=54911&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=54911&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=54911&r=mysqlcfg
#48590 [Opn]: SOAP Client (redirect loop)
ID: 48590 User updated by: erik at datahack dot se Reported By: erik at datahack dot se Status: Open Bug Type:SOAP related PHP Version: 5.3.0RC3 New Comment: The sample code has an extra comma after the "'stream_context' => $context,". Previous Comments: [2009-06-17 21:05:23] erik at datahack dot se Description: A SOAPClient can be stuck in a redirect loop (and in some cases crash). Other PHP functions have solved this by a default redirection limit of 20 redirects (maybe a php.ini setting) or a custom value of a stream context -> http -> max_redirects. I provide two examples, one where PHP crashes after ~200 requests and one where it just loops forever. Reproduce code: --- redirection-loop.php: client code (crashes): array('max_redirects' => 3)) ); $soap = new SOAPClient(NULL, array( 'uri' => 'foo', 'location' => 'http://example.com/redirection-loop.php', 'stream_context' => $context, ) ); $soap->test(); ?> client code (never finishes): 'foo', 'location' => 'http://example.com/redirection-loop.php' ) ); $soap->test(); ?> Expected result: I expect it to have a default limit of 20 but also respect the max_requests value in the stream context. If the limit is reached I would expect a SOAPFault with a similar error description as below. When requesting the same file (redirection-loop.php) with file_get_contents() you get a warning and a empty result is returned. Warning: file_get_contents(http://example.com/redirection-loop.php): failed to open stream: Redirection limit reached, aborting in Command line code on line 1 Actual result: -- This is what happens if you specify a stream_context and tries to make it respect the max_requests (which is does not)... (gdb) bt #0 0x082e2c9e in php_stream_context_get_option (context=0xa2eb5b4, wrappername=0x85eb353 "socket", optionname=0x8623e2a "bindto", optionvalue=0xbf866d04) at php-5.3.0RC3/main/streams/streams.c:2036 #1 0x082ef2e3 in php_tcp_sockop_set_option (stream=0xa2eac68, option=7, value=0, ptrparam=0xbf866dd0) at php-5.3.0RC3/main/streams/xp_socket.c:641 #2 0x082e27d2 in _php_stream_set_option (stream=0xa2eac68, option=7, value=0, ptrparam=0xbf866dd0) at php-5.3.0RC3/main/streams/streams.c:1175 #3 0x082ed90f in php_stream_xport_connect (stream=0xa2eac68, name=0xa2eac16 "example.com:80", namelen=16, asynchronous=0, timeout=0xbf866e84, error_text=0xbf866e8c, error_code=0x0) at php-5.3.0RC3/main/streams/transports.c:230 #4 0x082edcca in _php_stream_xport_create (name=0xa2eac16 "example.org:80", namelen=16, options=12, flags=0, persistent_id=0x0, timeout=0xbf866e84, context=0xa2eb5b4, error_string=0x0, error_code=0x0) at php-5.3.0RC3/main/streams/transports.c:143 #5 0x081d56c6 in make_http_soap_request (this_ptr=0xa2ea634, buf=0xa35d5f0 "\nhttp://schemas.xmlsoap.org/soap/envelope/\"; xmlns:ns1=\"foo\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"; xmlns:SOAP-ENC="..., buf_size=378, location=0xa2eaa18 "http://example.com/redirection-loop.php";, soapaction=0xa2eab9c "foo#test", soap_version=1, buffer=0xa2eab1c, buffer_len=0xa2eab20) at php-5.3.0RC3/ext/soap/php_http.c:120 #6 0x081b41d0 in zim_SoapClient___doRequest (ht=5, return_value=0xa2eab1c, return_value_ptr=0xbf8673c8, this_ptr=0xa2ea634, return_value_used=1) at php-5.3.0RC3/ext/soap/soap.c:3249 (gdb) f 0 #0 0x082e2c9e in php_stream_context_get_option (context=0xa2eb5b4, wrappername=0x85eb353 "socket", optionname=0x8623e2a "bindto", optionvalue=0xbf866d04) at php-5.3.0RC3/main/streams/streams.c:2036 2036if (FAILURE == zend_hash_find(Z_ARRVAL_P(context->options), (char*)wrappername, strlen(wrappername)+1, (void**)&wrapperhash)) { -- Edit this bug report at http://bugs.php.net/?id=48590&edit=1
#48590 [NEW]: SOAP Client (redirect loop)
From: erik at datahack dot se Operating system: PHP version: 5.3.0RC3 PHP Bug Type: SOAP related Bug description: SOAP Client (redirect loop) Description: A SOAPClient can be stuck in a redirect loop (and in some cases crash). Other PHP functions have solved this by a default redirection limit of 20 redirects (maybe a php.ini setting) or a custom value of a stream context -> http -> max_redirects. I provide two examples, one where PHP crashes after ~200 requests and one where it just loops forever. Reproduce code: --- redirection-loop.php: client code (crashes): array('max_redirects' => 3)) ); $soap = new SOAPClient(NULL, array( 'uri' => 'foo', 'location' => 'http://example.com/redirection-loop.php', 'stream_context' => $context, ) ); $soap->test(); ?> client code (never finishes): 'foo', 'location' => 'http://example.com/redirection-loop.php' ) ); $soap->test(); ?> Expected result: I expect it to have a default limit of 20 but also respect the max_requests value in the stream context. If the limit is reached I would expect a SOAPFault with a similar error description as below. When requesting the same file (redirection-loop.php) with file_get_contents() you get a warning and a empty result is returned. Warning: file_get_contents(http://example.com/redirection-loop.php): failed to open stream: Redirection limit reached, aborting in Command line code on line 1 Actual result: -- This is what happens if you specify a stream_context and tries to make it respect the max_requests (which is does not)... (gdb) bt #0 0x082e2c9e in php_stream_context_get_option (context=0xa2eb5b4, wrappername=0x85eb353 "socket", optionname=0x8623e2a "bindto", optionvalue=0xbf866d04) at php-5.3.0RC3/main/streams/streams.c:2036 #1 0x082ef2e3 in php_tcp_sockop_set_option (stream=0xa2eac68, option=7, value=0, ptrparam=0xbf866dd0) at php-5.3.0RC3/main/streams/xp_socket.c:641 #2 0x082e27d2 in _php_stream_set_option (stream=0xa2eac68, option=7, value=0, ptrparam=0xbf866dd0) at php-5.3.0RC3/main/streams/streams.c:1175 #3 0x082ed90f in php_stream_xport_connect (stream=0xa2eac68, name=0xa2eac16 "example.com:80", namelen=16, asynchronous=0, timeout=0xbf866e84, error_text=0xbf866e8c, error_code=0x0) at php-5.3.0RC3/main/streams/transports.c:230 #4 0x082edcca in _php_stream_xport_create (name=0xa2eac16 "example.org:80", namelen=16, options=12, flags=0, persistent_id=0x0, timeout=0xbf866e84, context=0xa2eb5b4, error_string=0x0, error_code=0x0) at php-5.3.0RC3/main/streams/transports.c:143 #5 0x081d56c6 in make_http_soap_request (this_ptr=0xa2ea634, buf=0xa35d5f0 "\nhttp://schemas.xmlsoap.org/soap/envelope/\"; xmlns:ns1=\"foo\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"; xmlns:SOAP-ENC="..., buf_size=378, location=0xa2eaa18 "http://example.com/redirection-loop.php";, soapaction=0xa2eab9c "foo#test", soap_version=1, buffer=0xa2eab1c, buffer_len=0xa2eab20) at php-5.3.0RC3/ext/soap/php_http.c:120 #6 0x081b41d0 in zim_SoapClient___doRequest (ht=5, return_value=0xa2eab1c, return_value_ptr=0xbf8673c8, this_ptr=0xa2ea634, return_value_used=1) at php-5.3.0RC3/ext/soap/soap.c:3249 (gdb) f 0 #0 0x082e2c9e in php_stream_context_get_option (context=0xa2eb5b4, wrappername=0x85eb353 "socket", optionname=0x8623e2a "bindto", optionvalue=0xbf866d04) at php-5.3.0RC3/main/streams/streams.c:2036 2036if (FAILURE == zend_hash_find(Z_ARRVAL_P(context->options), (char*)wrappername, strlen(wrappername)+1, (void**)&wrapperhash)) { -- Edit bug report at http://bugs.php.net/?id=48590&edit=1 -- Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=48590&r=trysnapshot52 Try a CVS snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=48590&r=trysnapshot53 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=48590&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=48590&r=fixedcvs Fixed in CVS and need be documented: http://bugs.php.net/fix.php?id=48590&r=needdocs Fixed in release: http://bugs.php.net/fix.php?id=48590&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=48590&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=48590&r=needscript Try newer version: http://bugs.php.net/fix.php?id=48590&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=48590&r=support Expected behavior: http://bugs.php.net/fix.php?id=48590&r=notwrong Not enough info: http://bugs.php.net/fix.ph