Fix #49169: SoapServer calls wrong function, although "SOAP action" header is correct #15970
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
nielsdos
commented
Sep 20, 2024
| soap_action_length--; | ||
| } | ||
|
|
||
| /* TODO: This may depend on a particular target namespace, in which case this won't find a match when multiple different |
There was a problem hiding this comment.
As stated by the TODO, this may require more work but depends on another fix.
|
Reconstructed test case: https://gist.github.com/nielsdos/03b758daf961fa335d4aedba8dd33d16 |
|
cc @cmb69 You seem to have some SOAP knowledge, perhaps you are interested in sanity checking this? |
nielsdos
force-pushed
the
fix-49169
branch
3 times, most recently
from
48ff6e7 to
7fe2c05
Compare
|
The failure was because of 2 missing NULL checks, one for the SDL, and one for the binding attributes. Remaining failures are unrelated. |
Girgias
reviewed
Sep 22, 2024
Not really. :(
Given that this is a bug fix, I think 8.4 is fine. On the other hand, the bug has been reported 15 years ago, so having to wait another year for the fix might be bearable. |
|
I'm okay with waiting for 8.5 to put through a bunch of fixes into SOAP. |
This is in preparation for adding functionality in later commits.
…eader is correct Although the original reproducer no longer exists, I was able to cook up something similar. The problem is that there are two ways ext-soap currently looks up functions: 1) By matching the exact function name; but this doesn't work if the function name is not in the body. 2) By matching the parameter names. Neither of these work when we don't have the function name in the body, and when the parameter names are not unique. That's where we can use the "SOAPAction" header to distinguish between different actions. This header should be checked first and be matched against the "soapAction" attribute in the WSDL. We keep the existing fallbacks such that the chance of a BC break is minimized. Note that since #49169 a potential target namespace is ignored right now.
|
Rebased on current master so entire CI can test. |
|
If no one objects I'll merge on monday |
jorgsowa
pushed a commit
to jorgsowa/php-src
that referenced
this pull request
Oct 1, 2024
…eader is correct Although the original reproducer no longer exists, I was able to cook up something similar. The problem is that there are two ways ext-soap currently looks up functions: 1) By matching the exact function name; but this doesn't work if the function name is not in the body. 2) By matching the parameter names. Neither of these work when we don't have the function name in the body, and when the parameter names are not unique. That's where we can use the "SOAPAction" header to distinguish between different actions. This header should be checked first and be matched against the "soapAction" attribute in the WSDL. We keep the existing fallbacks such that the chance of a BC break is minimized. Note that since #49169 a potential target namespace is ignored right now. Closes phpGH-15970.
jorgsowa
pushed a commit
to jorgsowa/php-src
that referenced
this pull request
Oct 1, 2024
…eader is correct Although the original reproducer no longer exists, I was able to cook up something similar. The problem is that there are two ways ext-soap currently looks up functions: 1) By matching the exact function name; but this doesn't work if the function name is not in the body. 2) By matching the parameter names. Neither of these work when we don't have the function name in the body, and when the parameter names are not unique. That's where we can use the "SOAPAction" header to distinguish between different actions. This header should be checked first and be matched against the "soapAction" attribute in the WSDL. We keep the existing fallbacks such that the chance of a BC break is minimized. Note that since #49169 a potential target namespace is ignored right now. Closes phpGH-15970.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See individual commits and their descriptions.
Sending to master because the fix is fairly non-trivial.