Description
Originally reported by @waseem-cve.
The following code:
<?php
$doc = new DOMDocument; $doc->loadXML('<root/>');
$xp = new DOMXPath($doc);
$xp->registerNamespace('my','my.ns');
$xp->registerPHPFunctionNS('my.ns','include', function() {
$d = new DOMDocument;
$d->loadXML('<r><uaf/></r>');
return $d->documentElement;
});
$xp->registerPHPFunctionNS('my.ns','process', function($arg) {
return 'x';
});
$xp->query('my:process(my:include()/uaf)');
unset($xp);
Resulted in a UAF. The argument-node proxy is created against the DOMXPath's own dom_object instead of the node's document, so it holds no reference on the foreign document. When node_list is torn down at unset($xp), that document is freed while the proxy still points into it.
Similar issue: #22077
PHP Version
Operating System
No response
Description
Originally reported by @waseem-cve.
The following code:
Resulted in a UAF. The argument-node proxy is created against the DOMXPath's own
dom_objectinstead of the node's document, so it holds no reference on the foreign document. Whennode_listis torn down atunset($xp), that document is freed while the proxy still points into it.Similar issue: #22077
PHP Version
Operating System
No response