From 42497c1ea56a8452af84ea9c2177c1175f4136d6 Mon Sep 17 00:00:00 2001
From: Gina Peter Banyard <girgias@php.net>
Date: Fri, 9 Aug 2024 17:41:02 +0100
Subject: [PATCH] ext/soap: Deprecate passing an int to
 SoapServer::addFunction() (#15310)

Also deprecate SOAP_FUNCTIONS_ALL constant.

RFC: https://wiki.php.net/rfc/deprecations_php_8_4#deprecate_soap_functions_all_constant_and_passing_it_to_soapserveraddfunction
---
 NEWS                          | 6 ++++++
 UPGRADING                     | 8 ++++++++
 ext/soap/soap.c               | 5 +++++
 ext/soap/soap.stub.php        | 1 +
 ext/soap/soap_arginfo.h       | 4 ++--
 ext/soap/tests/server003.phpt | 5 ++++-
 6 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/NEWS b/NEWS
index 92f9b2ee149..1fdc3f7c9e8 100644
--- a/NEWS
+++ b/NEWS
@@ -45,6 +45,12 @@ PHP                                                                        NEWS
   . INI settings session.sid_length and session.sid_bits_per_character are now
     deprecated. (timwolla)
 
+- SOAP:
+  . Passing an int to SoapServer::addFunction() is now deprecated.
+    If all PHP functions need to be provided flatten the array returned by
+    get_defined_functions(). (Girgias)
+  . The SOAP_FUNCTIONS_ALL constant is now deprecated. (Girgias)
+
 - SPL:
   . The SplFixedArray::__wakeup() method has been deprecated as it implements
     __serialize() and __unserialize() which need to be overwritten instead.
diff --git a/UPGRADING b/UPGRADING
index 2ccfe438493..6fc76481112 100644
--- a/UPGRADING
+++ b/UPGRADING
@@ -473,6 +473,14 @@ PHP 8.4 UPGRADE NOTES
     hexadecimal session IDs and stop changing these two INI settings.
     RFC: https://wiki.php.net/rfc/deprecations_php_8_4
 
+- SOAP:
+  . Passing an int to SoapServer::addFunction() is now deprecated.
+    If all PHP functions need to be provided flatten the array returned by
+    get_defined_functions().
+    RFC: https://wiki.php.net/rfc/deprecations_php_8_4#deprecate_soap_functions_all_constant_and_passing_it_to_soapserveraddfunction
+  . The SOAP_FUNCTIONS_ALL constant is now deprecated.
+    RFC: https://wiki.php.net/rfc/deprecations_php_8_4#deprecate_soap_functions_all_constant_and_passing_it_to_soapserveraddfunction
+
 - SPL:
   . The SplFixedArray::__wakeup() method has been deprecated as it implements
     __serialize() and __unserialize() which need to be overwritten instead.
diff --git a/ext/soap/soap.c b/ext/soap/soap.c
index 7ecd6a905da..b152a1a187a 100644
--- a/ext/soap/soap.c
+++ b/ext/soap/soap.c
@@ -1206,6 +1206,11 @@ PHP_METHOD(SoapServer, addFunction)
 		zend_string_release_ex(key, 0);
 	} else if (Z_TYPE_P(function_name) == IS_LONG) {
 		if (Z_LVAL_P(function_name) == SOAP_FUNCTIONS_ALL) {
+			php_error_docref(NULL, E_DEPRECATED, "Enabling all functions via SOAP_FUNCTIONS_ALL is deprecated since 8.4, due to possible security concerns."
+				" If all PHP functions should be enabled, the flattened return value of get_defined_functions() can be used");
+			if (UNEXPECTED(EG(exception))) {
+				RETURN_THROWS();
+			}
 			if (service->soap_functions.ft != NULL) {
 				zend_hash_destroy(service->soap_functions.ft);
 				efree(service->soap_functions.ft);
diff --git a/ext/soap/soap.stub.php b/ext/soap/soap.stub.php
index 8806d73662d..a387c3a2d75 100644
--- a/ext/soap/soap.stub.php
+++ b/ext/soap/soap.stub.php
@@ -44,6 +44,7 @@ namespace {
     /**
      * @var int
      * @cvalue SOAP_FUNCTIONS_ALL
+     * @deprecated since 8.4
      */
     const SOAP_FUNCTIONS_ALL = UNKNOWN;
 
diff --git a/ext/soap/soap_arginfo.h b/ext/soap/soap_arginfo.h
index 857c3f4be3c..63e5a01910c 100644
--- a/ext/soap/soap_arginfo.h
+++ b/ext/soap/soap_arginfo.h
@@ -1,5 +1,5 @@
 /* This is a generated file, edit the .stub.php file instead.
- * Stub hash: 81d0b54b93829f3cd4b12731f6b6ae140b06a0f1 */
+ * Stub hash: 66221c42416635403ee6d49c12884e94073b67f2 */
 
 ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX(arginfo_use_soap_error_handler, 0, 0, _IS_BOOL, 0)
 	ZEND_ARG_TYPE_INFO_WITH_DEFAULT_VALUE(0, enable, _IS_BOOL, 0, "true")
@@ -239,7 +239,7 @@ static void register_soap_symbols(int module_number)
 	REGISTER_LONG_CONSTANT("SOAP_1_2", SOAP_1_2, CONST_PERSISTENT);
 	REGISTER_LONG_CONSTANT("SOAP_PERSISTENCE_SESSION", SOAP_PERSISTENCE_SESSION, CONST_PERSISTENT);
 	REGISTER_LONG_CONSTANT("SOAP_PERSISTENCE_REQUEST", SOAP_PERSISTENCE_REQUEST, CONST_PERSISTENT);
-	REGISTER_LONG_CONSTANT("SOAP_FUNCTIONS_ALL", SOAP_FUNCTIONS_ALL, CONST_PERSISTENT);
+	REGISTER_LONG_CONSTANT("SOAP_FUNCTIONS_ALL", SOAP_FUNCTIONS_ALL, CONST_PERSISTENT | CONST_DEPRECATED);
 	REGISTER_LONG_CONSTANT("SOAP_ENCODED", SOAP_ENCODED, CONST_PERSISTENT);
 	REGISTER_LONG_CONSTANT("SOAP_LITERAL", SOAP_LITERAL, CONST_PERSISTENT);
 	REGISTER_LONG_CONSTANT("SOAP_RPC", SOAP_RPC, CONST_PERSISTENT);
diff --git a/ext/soap/tests/server003.phpt b/ext/soap/tests/server003.phpt
index fb3e0d1b77c..1425daf8194 100644
--- a/ext/soap/tests/server003.phpt
+++ b/ext/soap/tests/server003.phpt
@@ -26,7 +26,10 @@ EOF;
 $server->handle($HTTP_RAW_POST_DATA);
 echo "ok\n";
 ?>
---EXPECT--
+--EXPECTF--
+Deprecated: Constant SOAP_FUNCTIONS_ALL is deprecated in %s on line %d
+
+Deprecated: SoapServer::addFunction(): Enabling all functions via SOAP_FUNCTIONS_ALL is deprecated since 8.4, due to possible security concerns. If all PHP functions should be enabled, the flattened return value of get_defined_functions() can be used in %s on line %d
 <?xml version="1.0" encoding="UTF-8"?>
 <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="http://testuri.org" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><SOAP-ENV:Body><ns1:strlenResponse><return xsi:type="xsd:int">11</return></ns1:strlenResponse></SOAP-ENV:Body></SOAP-ENV:Envelope>
 ok