Fix bug #69280: SoapClient classmap doesn't support fully qualified class name

There's a hash table that maps type names to class name, but names with
a leading backslash are not supported. The engine has logic to strip
away the leading backslash that we should replicate here.

It works by checking if we need to make an actual copy in case an
unexpected (e.g. invalid data or leading backslash) situations are
detected. Upon making a copy we normalize the data in the table.

Furthermore, previously the code assumed that the key was always valid
and that the structure was a non-packed hash table. This isn't
necessarily the case. The new code fixes this as well.

Author: nielsdos

ext/soap/php_encoding.c

@@ -449,11 +449,8 @@ static xmlNodePtr master_to_xml_int(encodePtr encode, zval *data, int style, xml
 			zend_string *type_name;
 
 			ZEND_HASH_MAP_FOREACH_STR_KEY_VAL(SOAP_GLOBAL(class_map), type_name, tmp) {
-				ZVAL_DEREF(tmp);
-				if (Z_TYPE_P(tmp) == IS_STRING &&
-				    ZSTR_LEN(ce->name) == Z_STRLEN_P(tmp) &&
-				    zend_binary_strncasecmp(ZSTR_VAL(ce->name), ZSTR_LEN(ce->name), Z_STRVAL_P(tmp), ZSTR_LEN(ce->name), ZSTR_LEN(ce->name)) == 0 &&
-				    type_name) {
+				if (ZSTR_LEN(ce->name) == Z_STRLEN_P(tmp) &&
+				    zend_binary_strncasecmp(ZSTR_VAL(ce->name), ZSTR_LEN(ce->name), Z_STRVAL_P(tmp), ZSTR_LEN(ce->name), ZSTR_LEN(ce->name)) == 0) {
 
 					/* TODO: namespace isn't stored */
 					encodePtr enc = NULL;
@@ -1382,7 +1379,6 @@ static zval *to_zval_object_ex(zval *ret, encodeTypePtr type, xmlNodePtr data, z
 		zend_class_entry  *tmp;
 
 		if ((classname = zend_hash_str_find_deref(SOAP_GLOBAL(class_map), type->type_str, strlen(type->type_str))) != NULL &&
-		    Z_TYPE_P(classname) == IS_STRING &&
 		    (tmp = zend_fetch_class(Z_STR_P(classname), ZEND_FETCH_CLASS_AUTO)) != NULL) {
 			ce = tmp;
 		}
@@ -3629,3 +3625,48 @@ void delete_encoder_persistent(zval *zv)
 	assert(t->details.map == NULL);
 	free(t);
 }
+
+/* Normalize leading backslash similarly to how the engine strips it away. */
+static inline zend_string *drop_leading_backslash(zend_string *str) {
+	if (ZSTR_VAL(str)[0] == '\\') {
+		return zend_string_init(ZSTR_VAL(str) + 1, ZSTR_LEN(str) - 1, false);
+	} else {
+		return zend_string_copy(str);
+	}
+}
+
+static HashTable *create_normalized_classmap_copy(HashTable *class_map)
+{
+	HashTable *normalized = zend_new_array(zend_hash_num_elements(class_map));
+
+	zend_string *key;
+	zval *value;
+	ZEND_HASH_FOREACH_STR_KEY_VAL(class_map, key, value) {
+		ZVAL_DEREF(value);
+
+		if (key != NULL && Z_TYPE_P(value) == IS_STRING) {
+			zval zv;
+			ZVAL_STR(&zv, drop_leading_backslash(Z_STR_P(value)));
+			zend_hash_add_new(normalized, key, &zv);
+		}
+	} ZEND_HASH_FOREACH_END();
+
+	return normalized;
+}
+
+void create_normalized_classmap(zval *return_value, zval *class_map)
+{
+	/* Check if we need to make a copy. */
+	zend_string *key;
+	zval *value;
+	ZEND_HASH_FOREACH_STR_KEY_VAL(Z_ARR_P(class_map), key, value) {
+		if (key == NULL || Z_TYPE_P(value) != IS_STRING || ZSTR_VAL(Z_STR_P(value))[0] == '\\') {
+			/* TODO: should probably throw in some of these cases to indicate programmer error,
+			 * e.g. in the case where a non-string (after dereferencing) is provided. */
+			RETURN_ARR(create_normalized_classmap_copy(Z_ARR_P(class_map)));
+		}
+	} ZEND_HASH_FOREACH_END();
+
+	/* We didn't have to make an actual copy, just increment the refcount. */
+	RETURN_COPY(class_map);
+}

ext/soap/php_encoding.h

@@ -214,6 +214,8 @@ encodePtr get_conversion(int encode);
 void delete_encoder(zval *zv);
 void delete_encoder_persistent(zval *zv);
 
+void create_normalized_classmap(zval *return_value, zval *class_map);
+
 extern const encode defaultEncoding[];
 extern int numDefaultEncodings;
 

ext/soap/soap.c

@@ -816,7 +816,9 @@ PHP_METHOD(SoapServer, __construct)
 
 		if ((tmp = zend_hash_str_find(ht, "classmap", sizeof("classmap")-1)) != NULL &&
 			Z_TYPE_P(tmp) == IS_ARRAY) {
-			service->class_map = zend_array_dup(Z_ARRVAL_P(tmp));
+			zval zv;
+			create_normalized_classmap(&zv, tmp);
+			service->class_map = Z_ARR(zv);
 		}
 
 		if ((tmp = zend_hash_str_find(ht, "typemap", sizeof("typemap")-1)) != NULL &&
@@ -1982,7 +1984,7 @@ PHP_METHOD(SoapClient, __construct)
 		}
 		if ((tmp = zend_hash_str_find(ht, "classmap", sizeof("classmap")-1)) != NULL &&
 			Z_TYPE_P(tmp) == IS_ARRAY) {
-			ZVAL_COPY(Z_CLIENT_CLASSMAP_P(this_ptr), tmp);
+			create_normalized_classmap(Z_CLIENT_CLASSMAP_P(this_ptr), tmp);
 		}
 
 		if ((tmp = zend_hash_str_find(ht, "typemap", sizeof("typemap")-1)) != NULL &&
@@ -4384,7 +4386,7 @@ static void delete_service(void *data) /* {{{ */
 	if (service->encoding) {
 		xmlCharEncCloseFunc(service->encoding);
 	}
-	if (service->class_map) {
+	if (service->class_map && !(GC_FLAGS(service->class_map) & IS_ARRAY_IMMUTABLE) && !GC_DELREF(service->class_map)) {
 		zend_hash_destroy(service->class_map);
 		FREE_HASHTABLE(service->class_map);
 	}

ext/soap/tests/bug69280.phpt

@@ -41,4 +41,4 @@ $a->TestMethod($r1);
 ?>
 --EXPECT--
 <?xml version="1.0" encoding="UTF-8"?>
-<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><parameters><prop>prop</prop><prop1>prop1</prop1></parameters></SOAP-ENV:Body></SOAP-ENV:Envelope>
+<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="http://tempuri.org/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><SOAP-ENV:Body><parameters xsi:type="ns1:RealClass1"><ns1:prop>prop</ns1:prop><ns1:prop1>prop1</ns1:prop1></parameters></SOAP-ENV:Body></SOAP-ENV:Envelope>