[PHP-DEV] SOAPClient authentication problem

2009-07-02 Thread Davide Romanini
I sent this message to the php.soap newsgroup, but noone answered me.


Today I found a nasty problem with a simple php SOAP client. Never had
problems before, but today I have the following error at SOAPClient
constructor line:

SoapClient::SoapClient(http://www.w3.org/2001/xml.xsd): failed to open
stream: HTTP request failed! HTTP/1.1 401 Authorization Required

The source is as simple as:

$client = new SoapClient("http://my.host.com/my_web_service?wsdl";,
 array( 'trace' => TRUE,
'login'=>'mylogin',
'password'=>'secret'
  )
);

It seems that the php xml parser tries to fetch the url
http://www.w3.org/2001/xml.xsd at wsdl parsing time. Sniffing the
network operations I found that php uses my login and password (for the
web service) also to access external references! :-O

GET /2001/xml.xsd HTTP/1.0
Authorization: Basic bXlsb2dpbjpzZWNyZXQ=
Host: www.w3.org

In the past probably w3.org just ignored the issue, but now I receive an
HTTP 401 Unauthorized error in response...

In any case it is a serious security issue if SOAPClient sends password
around the web, when the intent is that they are used only for the web
service host!

I tried the following PHP versions:

PHP 5.2.3-1ubuntu6.5 (cli) (built: Feb 11 2009 19:55:53)
Copyright (c) 1997-2007 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies

PHP 5.2.8 (cli) (built: Dec 17 2008 00:54:27)
Copyright (c) 1997-2008 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies
with Zend Extension Manager v1.0.11, Copyright (c) 2003-2006, by
Zend Technologies
with Zend Optimizer v3.2.0, Copyright (c) 1998-2006, by Zend
Technologies
with Zend Debugger v5.2.2, Copyright (c) 1999-2006, by Zend Technologies


Regards,
Davide

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php



[PHP-DEV] Re: [SOAP] SOAPClient authentication problem

2009-07-24 Thread Davide Romanini
David Zülke ha scritto:
> Can do, but I wanted to figure out a way to create a reproduce case
> first (I already have an idea).
> 
> - David
> 
> 
> 
> On 24.07.2009, at 12:20, Dmitry Stogov wrote:
> 
>> Hi David,
>>
>> Please report a bug on bugs.php.net (assign it to dmitry).
>> I'll look into it later.
>>
>> Thanks. Dmitry.
>>
>> David Zülke wrote:
>>> This sounds like a serious issue, but I'm not sure if it's in libxml or
>>> in ext/soap. Will have a look later; but maybe Dmitry or someone else
>>> knows off the top of their heads?
>>>
>>> - David
>>>
>>>
>>> Begin forwarded message:
>>>
>>>> From: Davide Romanini 
>>>> Date: 30. Juni 2009 11:49:30 MESZ
>>>> To: s...@lists.php.net
>>>> Subject: [SOAP] SOAPClient authentication problem
>>>> Reply-To: d.roman...@cineca.it
>>>>
>>>> Hi,
>>>>
>>>> Today I found a nasty problem with a simple php SOAP client. Never had
>>>> problems before, but today I have the following error at SOAPClient
>>>> constructor line:
>>>>
>>>> SoapClient::SoapClient(http://www.w3.org/2001/xml.xsd): failed to open
>>>> stream: HTTP request failed! HTTP/1.1 401 Authorization Required
>>>>
>>>> The source is as simple as:
>>>>
>>>> $client = new SoapClient("http://my.host.com/my_web_service?wsdl";,
>>>>array( 'trace' => TRUE,
>>>>   'login'=>'mylogin',
>>>>   'password'=>'secret'
>>>> )
>>>>   );
>>>>
>>>> It seems that the php xml parser tries to fetch the url
>>>> http://www.w3.org/2001/xml.xsd at wsdl parsing time. Sniffing the
>>>> network operations I found that php uses my login and password (for the
>>>> web service) also to access external references! :-O
>>>>
>>>> GET /2001/xml.xsd HTTP/1.0
>>>> Authorization: Basic bXlsb2dpbjpzZWNyZXQ=
>>>> Host: www.w3.org
>>>>
>>>> In the past probably w3.org just ignored the issue, but now I
>>>> receive an
>>>> HTTP 401 Unauthorized error in response...
>>>>
>>>> In any case it is a serious security issue if SOAPClient sends password
>>>> around the web, when the intent is that they are used only for the web
>>>> service host!
>>>>
>>>> I tried the following PHP versions:
>>>>
>>>> PHP 5.2.3-1ubuntu6.5 (cli) (built: Feb 11 2009 19:55:53)
>>>> Copyright (c) 1997-2007 The PHP Group
>>>> Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies
>>>>
>>>> PHP 5.2.8 (cli) (built: Dec 17 2008 00:54:27)
>>>> Copyright (c) 1997-2008 The PHP Group
>>>> Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies
>>>>   with Zend Extension Manager v1.0.11, Copyright (c) 2003-2006, by
>>>> Zend Technologies
>>>>   with Zend Optimizer v3.2.0, Copyright (c) 1998-2006, by Zend
>>>> Technologies
>>>>   with Zend Debugger v5.2.2, Copyright (c) 1999-2006, by Zend
>>>> Technologies
>>>>
>>>>
>>>> Regards,
>>>> Davide
>>>>
>>>> -- 
>>>> PHP Soap Mailing List (http://www.php.net/)
>>>> To unsubscribe, visit: http://www.php.net/unsub.php
>>>>
>>>>
>>>
>>
> 

It's really simple to reproduce. Take this example wsdl:


http://schemas.xmlsoap.org/wsdl/";
xmlns:sch="http://mycompany.com/hr/schemas";
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/";
xmlns:tns="http://mycompany.com/hr/schemas";
targetNamespace="http://mycompany.com/hr/schemas";>
  
http://mycompany.com/hr/schemas";
xmlns:xs="http://www.w3.org/2001/XMLSchema";
elementFormDefault="qualified"
targetNamespace="http://mycompany.com/hr/schemas";>
http://www.w3.org/XML/1998/namespace";
schemaLocation="http://www.w3.org/2001/xml.xsd"/>




























  

[PHP-DEV] PHP Stream wrappers seek with whence SEEK_CUR doesn't work

2009-11-04 Thread Davide Romanini
Hi,

I'm developing a custom stream wrapper and I've found this bug
implementing the stream_seek() method.

My php version:
PHP 5.2.8 (cli) (built: Dec 17 2008 00:54:27)
Copyright (c) 1997-2008 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies
with Zend Extension Manager v1.0.11, Copyright (c) 2003-2006, by
Zend Technologies
with Zend Optimizer v3.2.0, Copyright (c) 1998-2006, by Zend
Technologies
with Zend Debugger v5.2.2, Copyright (c) 1999-2006, by Zend Technologies

I've attached a simple script to reproduce the bug. It's a modified
version of the example stream wrapper at
http://www.php.net/manual/en/stream.streamwrapper.example-1.php.

Expected result should be:
whence=0
whence=1
whence=0
line1
line2
line3

but it is:
whence=0
whence=0
whence=0
line1
line2
line3

It seems that the SEEK_CUR parameter is always ignored and the whence
value passed to my wrapper is SEEK_SET.

Using SEEK_END works as expected.

Regards,
Davide Romanini
<>
-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP-DEV] PHP Stream wrappers seek with whence SEEK_CUR doesn't work

2009-11-04 Thread Davide Romanini
Il Wed, 04 Nov 2009 12:11:40 +0100, Johannes Schlüter ha scritto:

> Hi,
> 
> On Wed, 2009-11-04 at 10:18 +0100, Davide Romanini wrote:
>> My php version:
>> PHP 5.2.8 (cli) (built: Dec 17 2008 00:54:27)
> 
> Please use a recent version of PHP.
> 
>> Copyright (c) 1997-2008 The PHP Group Zend Engine v2.2.0, Copyright (c)
>> 1998-2008 Zend Technologies
>> with Zend Extension Manager v1.0.11, Copyright (c) 2003-2006, by
>> Zend Technologies
>> with Zend Optimizer v3.2.0, Copyright (c) 1998-2006, by Zend
>> Technologies
>> with Zend Debugger v5.2.2, Copyright (c) 1999-2006, by Zend
>> Technologies
> 
> Please disable third party modules before reporting any issues to us.
> 

I'll take time to try the script on php 5.2.11. I tried also on php 5.2.6 
without zend extensions without success. If someone on the list could try 
it on a php 5.2.11 sandbox it is very welcome :-)

>> I've attached a simple script to reproduce the bug. It's a modified
>> version of the example stream wrapper at
>> http://www.php.net/manual/en/stream.streamwrapper.example-1.php.
> [...]
>> It seems that the SEEK_CUR parameter is always ignored and the whence
>> value passed to my wrapper is SEEK_SET.
> 
> I think (didn't verify) that PHP keeps track of the position and
> rewrites CUR to SET accordingly, but as said: Didn't verify.
> 

Well, and why the hell php should do that?? It is a bug to me.

Regards,
Davide Romanini

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php