Hi, Today I found a nasty problem with a simple php SOAP client. Never had problems before, but today I have the following error at SOAPClient constructor line: SoapClient::SoapClient(http://www.w3.org/2001/xml.xsd): failed to open stream: HTTP request failed! HTTP/1.1 401 Authorization Required The source is as simple as: $client = new SoapClient("http://my.host.com/my_web_service?wsdl";, array( 'trace' => TRUE, 'login'=>'mylogin', 'password'=>'secret' ) ); It seems that the php xml parser tries to fetch the url http://www.w3.org/2001/xml.xsd at wsdl parsing time. Sniffing the network operations I found that php uses my login and password (for the web service) also to access external references! :-O GET /2001/xml.xsd HTTP/1.0 Authorization: Basic bXlsb2dpbjpzZWNyZXQ= Host: www.w3.org In the past probably w3.org just ignored the issue, but now I receive an HTTP 401 Unauthorized error in response... In any case it is a serious security issue if SOAPClient sends password around the web, when the intent is that they are used only for the web service host! I tried the following PHP versions: PHP 5.2.3-1ubuntu6.5 (cli) (built: Feb 11 2009 19:55:53) Copyright (c) 1997-2007 The PHP Group Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies PHP 5.2.8 (cli) (built: Dec 17 2008 00:54:27) Copyright (c) 1997-2008 The PHP Group Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies with Zend Extension Manager v1.0.11, Copyright (c) 2003-2006, by Zend Technologies with Zend Optimizer v3.2.0, Copyright (c) 1998-2006, by Zend Technologies with Zend Debugger v5.2.2, Copyright (c) 1999-2006, by Zend Technologies Regards, Davide -- PHP Soap Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
