- David Begin forwarded message:
From: Davide Romanini <davide.romanini@gmail.com> Date: 30. Juni 2009 11:49:30 MESZ To: soap@lists.php.net Subject: SOAPClient authentication problem Reply-To: d.romanini@cineca.it Hi, Today I found a nasty problem with a simple php SOAP client. Never had problems before, but today I have the following error at SOAPClient constructor line: SoapClient::SoapClient(http://www.w3.org/2001/xml.xsd): failed to open stream: HTTP request failed! HTTP/1.1 401 Authorization Required The source is as simple as: $client = new SoapClient("http://my.host.com/my_web_service?wsdl", array( 'trace' => TRUE, 'login'=>'mylogin', 'password'=>'secret' ) ); It seems that the php xml parser tries to fetch the url http://www.w3.org/2001/xml.xsd at wsdl parsing time. Sniffing thenetwork operations I found that php uses my login and password (for theweb service) also to access external references! :-O GET /2001/xml.xsd HTTP/1.0 Authorization: Basic bXlsb2dpbjpzZWNyZXQ= Host: www.w3.orgIn the past probably w3.org just ignored the issue, but now I receive anHTTP 401 Unauthorized error in response...In any case it is a serious security issue if SOAPClient sends passwordaround the web, when the intent is that they are used only for the web service host! I tried the following PHP versions: PHP 5.2.3-1ubuntu6.5 (cli) (built: Feb 11 2009 19:55:53) Copyright (c) 1997-2007 The PHP Group Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies PHP 5.2.8 (cli) (built: Dec 17 2008 00:54:27) Copyright (c) 1997-2008 The PHP Group Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies with Zend Extension Manager v1.0.11, Copyright (c) 2003-2006, by Zend Technologies with Zend Optimizer v3.2.0, Copyright (c) 1998-2006, by Zend Technologieswith Zend Debugger v5.2.2, Copyright (c) 1999-2006, by Zend TechnologiesRegards, Davide -- PHP Soap Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Attachment:
smime.p7s
Description: S/MIME cryptographic signature