From 80d580b29228325d2c69bb22d9542947ab83732c Mon Sep 17 00:00:00 2001
From: David Carlier <devnexen@gmail.com>
Date: Wed, 3 Jun 2026 20:55:17 +0100
Subject: [PATCH] Fix GH-22218: SoapServer::handle() crash on non-array
 `$_SERVER`.

Move the HTTP_SOAPACTION lookup inside the existing $_SERVER NULL/array guard; it dereferenced server_vars unconditionally, crashing when $_SERVER was unset or a scalar.

Fix #22218

close GHH-22220
---
 NEWS                        |  4 ++++
 ext/soap/soap.c             |  6 +++---
 ext/soap/tests/gh22218.phpt | 25 +++++++++++++++++++++++++
 3 files changed, 32 insertions(+), 3 deletions(-)
 create mode 100644 ext/soap/tests/gh22218.phpt

diff --git a/NEWS b/NEWS
index ae8cf7dbb874..9a98aadadf82 100644
--- a/NEWS
+++ b/NEWS
@@ -16,6 +16,10 @@ PHP                                                                        NEWS
     Phar::addEmptyDir() for paths starting with "/.phar", while allowing
     non-magic directory names that merely share the ".phar" prefix. (Weilin Du)
 
+- SOAP:
+  . Fixed bug GH-22218 (SoapServer::handle() crash on $_SERVER not being
+    an array). (David Carlier / Rex-Reynolds)
+
 - Zlib:
   . Fixed memory leak if deflate initialization fails and there is a dict.
     (ndossche)
diff --git a/ext/soap/soap.c b/ext/soap/soap.c
index 5213928885b2..b7ed44929872 100644
--- a/ext/soap/soap.c
+++ b/ext/soap/soap.c
@@ -1393,10 +1393,10 @@ PHP_METHOD(SoapServer, handle)
 						return;
 					}
 				}
-			}
 
-			if ((soap_action_z = zend_hash_str_find(Z_ARRVAL_P(server_vars), ZEND_STRL("HTTP_SOAPACTION"))) != NULL && Z_TYPE_P(soap_action_z) == IS_STRING) {
-				soap_action = Z_STRVAL_P(soap_action_z);
+			    if ((soap_action_z = zend_hash_str_find(Z_ARRVAL_P(server_vars), ZEND_STRL("HTTP_SOAPACTION"))) != NULL && Z_TYPE_P(soap_action_z) == IS_STRING) {
+				    soap_action = Z_STRVAL_P(soap_action_z);
+			    }
 			}
 
 			doc_request = soap_xmlParseFile("php://input");
diff --git a/ext/soap/tests/gh22218.phpt b/ext/soap/tests/gh22218.phpt
new file mode 100644
index 000000000000..5b0714037a0a
--- /dev/null
+++ b/ext/soap/tests/gh22218.phpt
@@ -0,0 +1,25 @@
+--TEST--
+GH-22218 (SoapServer::handle() segfault on non-array/unset $_SERVER)
+--EXTENSIONS--
+soap
+--CREDITS--
+Rex-Reynolds
+--SKIPIF--
+<?php
+if (php_sapi_name() == 'cli') echo 'skip needs request body (POST)';
+?>
+--POST--
+<SOAP-ENV:Envelope
+    xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
+    <SOAP-ENV:Body>
+        <test/>
+    </SOAP-ENV:Body>
+</SOAP-ENV:Envelope>
+--FILE--
+<?php
+$_SERVER = 79;
+$server = new SoapServer(null, ['uri' => 'http://test-uri']);
+$server->handle();
+?>
+--EXPECTF--
+%AFunction 'test' doesn't exist%A