ID: 42952 Updated by: [EMAIL PROTECTED] Reported By: glen at delfi dot ee -Status: Assigned +Status: Feedback Bug Type: SOAP related Operating System: PLD Linux PHP Version: 5.2.4 Assigned To: dmitry New Comment:
I am not sure it is a good patch. The same WSDL files may be used by different users and your patch will allow access to cache only to first user. Previous Comments: ------------------------------------------------------------------------ [2007-10-12 16:55:27] glen at delfi dot ee here's patch to fix the problem: http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/SOURCES/php-bug-42952.patch ------------------------------------------------------------------------ [2007-10-12 16:53:01] glen at delfi dot ee Description: ------------ soap cache file is created with insecure permissions on some configurations: -rw-rw-rw- 1 http http 67K Oct 12 19:10 wsdl-cf39a31ae8dbd9b9899539495756434d by default cache is enabled and cache directory is set to /tmp: http://ee.php.net/manual/en/ref.soap.php #ifdef ZEND_WIN32 f = open(fn,O_CREAT|O_WRONLY|O_EXCL|O_BINARY,S_IREAD|S_IWRITE); #else f = open(fn,O_CREAT|O_WRONLY|O_EXCL|O_BINARY,S_IREAD|S_IWRITE| S_IROTH|S_IWOTH|S_IRGRP|S_IWGRP); #endif probably in shared enviroments somebody could replace cache file with evil content and cause soap requests to be sent to infectected webserver capturing user passwords logins, depending on application. Reproduce code: --------------- create sample wsdl.xml from: http://www.roguewave.com/support/docs/leif/leif/html/soapworxug/A-1.html $ (rm -f /tmp/wsdl-*; umask 0; strace -ff -eopen php -r '$s = new SoapClient("/tmp/wsdl.xml");' 2>&1|grep wsdl; ls -l /tmp/wsdl-*) open("/tmp/wsdl-d3d4b363f5423ee77d7e0342af8881c7", O_RDONLY) = -1 ENOENT (No such file or directory) open("/tmp/wsdl.xml", O_RDONLY) = 5 open("/tmp/wsdl-d3d4b363f5423ee77d7e0342af8881c7", O_WRONLY|O_CREAT|O_EXCL, 0666) = 5 -rw-rw-rw- 1 glen glen 488 2007-10-12 19:50 /tmp/wsdl-d3d4b363f5423ee77d7e0342af8881c7 ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=42952&edit=1