Skip to content

Commit b939fc8

Browse files
authored
Merge commit from fork
Security advisory GHSA-356v-7xg2-3678
1 parent 8022702 commit b939fc8

File tree

1 file changed

+46
-28
lines changed

1 file changed

+46
-28
lines changed

main/inc/lib/nusoap/class.soap_server.php

Lines changed: 46 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -586,34 +586,52 @@ function invoke_method() {
586586
$this->appendDebug($this->varDump($this->methodparams));
587587
$this->debug("in invoke_method, calling '$this->methodname'");
588588
if (!function_exists('call_user_func_array')) {
589-
if ($class == '') {
590-
$this->debug('in invoke_method, calling function using eval()');
591-
$funcCall = "\$this->methodreturn = $this->methodname(";
592-
} else {
593-
if ($delim == '..') {
594-
$this->debug('in invoke_method, calling class method using eval()');
595-
$funcCall = "\$this->methodreturn = ".$class."::".$method."(";
596-
} else {
597-
$this->debug('in invoke_method, calling instance method using eval()');
598-
// generate unique instance name
599-
$instname = "\$inst_".time();
600-
$funcCall = $instname." = new ".$class."(); ";
601-
$funcCall .= "\$this->methodreturn = ".$instname."->".$method."(";
602-
}
603-
}
604-
if ($this->methodparams) {
605-
foreach ($this->methodparams as $param) {
606-
if (is_array($param) || is_object($param)) {
607-
$this->fault('SOAP-ENV:Client', 'NuSOAP does not handle complexType parameters correctly when using eval; call_user_func_array must be available');
608-
return;
609-
}
610-
$funcCall .= "\"$param\",";
611-
}
612-
$funcCall = substr($funcCall, 0, -1);
613-
}
614-
$funcCall .= ');';
615-
$this->debug('in invoke_method, function call: '.$funcCall);
616-
@eval($funcCall);
589+
try {
590+
if ($class == '') {
591+
$this->debug('in invoke_method, calling function using eval()');
592+
$reflectionFunction = new ReflectionFunction($this->methodname);
593+
$params = $reflectionFunction->getParameters();
594+
595+
if (count($params) !== count($this->methodparams)) {
596+
throw new Exception('Paremeter count mismatch');
597+
}
598+
599+
$this->methodreturn = $reflectionFunction->invokeArgs(array_values($this->methodparams));
600+
} else {
601+
$reflectionMethod = new ReflectionMethod($class, $method);
602+
$params = $reflectionMethod->getParameters();
603+
604+
if (count($params) !== count($this->methodparams)) {
605+
throw new Exception('Paremeter count mismatch');
606+
}
607+
608+
$instance = null;
609+
610+
if ($delim == '..') {
611+
if (!$reflectionMethod->isStatic()) {
612+
throw new Exception("Method '$method' is not static");
613+
}
614+
} else {
615+
if ($reflectionMethod->isStatic()) {
616+
throw new Exception("Method '$method' is static");
617+
}
618+
619+
$instance = new $class();
620+
}
621+
622+
$this->methodreturn = $reflectionMethod->invokeArgs($instance, array_values($this->methodparams));
623+
}
624+
625+
$this->debug('in invoke_method, methodreturn: ' . $this->varDump($this->methodreturn));
626+
} catch (ReflectionException $e) {
627+
$this->fault('SOAP-ENV:Client', 'Error invoking method: '.$e->getMessage());
628+
629+
return;
630+
} catch (Exception $e) {
631+
$this->fault('SOAP-ENV:Client', $e->getMessage());
632+
633+
return;
634+
}
617635
} else {
618636
if ($class == '') {
619637
$this->debug('in invoke_method, calling function using call_user_func_array()');

0 commit comments

Comments
 (0)