[PHP-DEV] SOAPClient authentication problem
I sent this message to the php.soap newsgroup, but noone answered me. Today I found a nasty problem with a simple php SOAP client. Never had problems before, but today I have the following error at SOAPClient constructor line: SoapClient::SoapClient(http://www.w3.org/2001/xml.xsd): failed to open stream: HTTP request failed! HTTP/1.1 401 Authorization Required The source is as simple as: $client = new SoapClient("http://my.host.com/my_web_service?wsdl";, array( 'trace' => TRUE, 'login'=>'mylogin', 'password'=>'secret' ) ); It seems that the php xml parser tries to fetch the url http://www.w3.org/2001/xml.xsd at wsdl parsing time. Sniffing the network operations I found that php uses my login and password (for the web service) also to access external references! :-O GET /2001/xml.xsd HTTP/1.0 Authorization: Basic bXlsb2dpbjpzZWNyZXQ= Host: www.w3.org In the past probably w3.org just ignored the issue, but now I receive an HTTP 401 Unauthorized error in response... In any case it is a serious security issue if SOAPClient sends password around the web, when the intent is that they are used only for the web service host! I tried the following PHP versions: PHP 5.2.3-1ubuntu6.5 (cli) (built: Feb 11 2009 19:55:53) Copyright (c) 1997-2007 The PHP Group Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies PHP 5.2.8 (cli) (built: Dec 17 2008 00:54:27) Copyright (c) 1997-2008 The PHP Group Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies with Zend Extension Manager v1.0.11, Copyright (c) 2003-2006, by Zend Technologies with Zend Optimizer v3.2.0, Copyright (c) 1998-2006, by Zend Technologies with Zend Debugger v5.2.2, Copyright (c) 1999-2006, by Zend Technologies Regards, Davide -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DEV] Re: [SOAP] SOAPClient authentication problem
David Zülke ha scritto: > Can do, but I wanted to figure out a way to create a reproduce case > first (I already have an idea). > > - David > > > > On 24.07.2009, at 12:20, Dmitry Stogov wrote: > >> Hi David, >> >> Please report a bug on bugs.php.net (assign it to dmitry). >> I'll look into it later. >> >> Thanks. Dmitry. >> >> David Zülke wrote: >>> This sounds like a serious issue, but I'm not sure if it's in libxml or >>> in ext/soap. Will have a look later; but maybe Dmitry or someone else >>> knows off the top of their heads? >>> >>> - David >>> >>> >>> Begin forwarded message: >>> >>>> From: Davide Romanini >>>> Date: 30. Juni 2009 11:49:30 MESZ >>>> To: s...@lists.php.net >>>> Subject: [SOAP] SOAPClient authentication problem >>>> Reply-To: d.roman...@cineca.it >>>> >>>> Hi, >>>> >>>> Today I found a nasty problem with a simple php SOAP client. Never had >>>> problems before, but today I have the following error at SOAPClient >>>> constructor line: >>>> >>>> SoapClient::SoapClient(http://www.w3.org/2001/xml.xsd): failed to open >>>> stream: HTTP request failed! HTTP/1.1 401 Authorization Required >>>> >>>> The source is as simple as: >>>> >>>> $client = new SoapClient("http://my.host.com/my_web_service?wsdl";, >>>>array( 'trace' => TRUE, >>>> 'login'=>'mylogin', >>>> 'password'=>'secret' >>>> ) >>>> ); >>>> >>>> It seems that the php xml parser tries to fetch the url >>>> http://www.w3.org/2001/xml.xsd at wsdl parsing time. Sniffing the >>>> network operations I found that php uses my login and password (for the >>>> web service) also to access external references! :-O >>>> >>>> GET /2001/xml.xsd HTTP/1.0 >>>> Authorization: Basic bXlsb2dpbjpzZWNyZXQ= >>>> Host: www.w3.org >>>> >>>> In the past probably w3.org just ignored the issue, but now I >>>> receive an >>>> HTTP 401 Unauthorized error in response... >>>> >>>> In any case it is a serious security issue if SOAPClient sends password >>>> around the web, when the intent is that they are used only for the web >>>> service host! >>>> >>>> I tried the following PHP versions: >>>> >>>> PHP 5.2.3-1ubuntu6.5 (cli) (built: Feb 11 2009 19:55:53) >>>> Copyright (c) 1997-2007 The PHP Group >>>> Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies >>>> >>>> PHP 5.2.8 (cli) (built: Dec 17 2008 00:54:27) >>>> Copyright (c) 1997-2008 The PHP Group >>>> Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies >>>> with Zend Extension Manager v1.0.11, Copyright (c) 2003-2006, by >>>> Zend Technologies >>>> with Zend Optimizer v3.2.0, Copyright (c) 1998-2006, by Zend >>>> Technologies >>>> with Zend Debugger v5.2.2, Copyright (c) 1999-2006, by Zend >>>> Technologies >>>> >>>> >>>> Regards, >>>> Davide >>>> >>>> -- >>>> PHP Soap Mailing List (http://www.php.net/) >>>> To unsubscribe, visit: http://www.php.net/unsub.php >>>> >>>> >>> >> > It's really simple to reproduce. Take this example wsdl: http://schemas.xmlsoap.org/wsdl/"; xmlns:sch="http://mycompany.com/hr/schemas"; xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"; xmlns:tns="http://mycompany.com/hr/schemas"; targetNamespace="http://mycompany.com/hr/schemas";> http://mycompany.com/hr/schemas"; xmlns:xs="http://www.w3.org/2001/XMLSchema"; elementFormDefault="qualified" targetNamespace="http://mycompany.com/hr/schemas";> http://www.w3.org/XML/1998/namespace"; schemaLocation="http://www.w3.org/2001/xml.xsd"/>
[PHP-DEV] PHP Stream wrappers seek with whence SEEK_CUR doesn't work
Hi, I'm developing a custom stream wrapper and I've found this bug implementing the stream_seek() method. My php version: PHP 5.2.8 (cli) (built: Dec 17 2008 00:54:27) Copyright (c) 1997-2008 The PHP Group Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies with Zend Extension Manager v1.0.11, Copyright (c) 2003-2006, by Zend Technologies with Zend Optimizer v3.2.0, Copyright (c) 1998-2006, by Zend Technologies with Zend Debugger v5.2.2, Copyright (c) 1999-2006, by Zend Technologies I've attached a simple script to reproduce the bug. It's a modified version of the example stream wrapper at http://www.php.net/manual/en/stream.streamwrapper.example-1.php. Expected result should be: whence=0 whence=1 whence=0 line1 line2 line3 but it is: whence=0 whence=0 whence=0 line1 line2 line3 It seems that the SEEK_CUR parameter is always ignored and the whence value passed to my wrapper is SEEK_SET. Using SEEK_END works as expected. Regards, Davide Romanini <> -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] PHP Stream wrappers seek with whence SEEK_CUR doesn't work
Il Wed, 04 Nov 2009 12:11:40 +0100, Johannes Schlüter ha scritto: > Hi, > > On Wed, 2009-11-04 at 10:18 +0100, Davide Romanini wrote: >> My php version: >> PHP 5.2.8 (cli) (built: Dec 17 2008 00:54:27) > > Please use a recent version of PHP. > >> Copyright (c) 1997-2008 The PHP Group Zend Engine v2.2.0, Copyright (c) >> 1998-2008 Zend Technologies >> with Zend Extension Manager v1.0.11, Copyright (c) 2003-2006, by >> Zend Technologies >> with Zend Optimizer v3.2.0, Copyright (c) 1998-2006, by Zend >> Technologies >> with Zend Debugger v5.2.2, Copyright (c) 1999-2006, by Zend >> Technologies > > Please disable third party modules before reporting any issues to us. > I'll take time to try the script on php 5.2.11. I tried also on php 5.2.6 without zend extensions without success. If someone on the list could try it on a php 5.2.11 sandbox it is very welcome :-) >> I've attached a simple script to reproduce the bug. It's a modified >> version of the example stream wrapper at >> http://www.php.net/manual/en/stream.streamwrapper.example-1.php. > [...] >> It seems that the SEEK_CUR parameter is always ignored and the whence >> value passed to my wrapper is SEEK_SET. > > I think (didn't verify) that PHP keeps track of the position and > rewrites CUR to SET accordingly, but as said: Didn't verify. > Well, and why the hell php should do that?? It is a bug to me. Regards, Davide Romanini -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php