Re: Fwd: SOAPClient authentication problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi David,

Please report a bug on bugs.php.net (assign it to dmitry).
I'll look into it later.

Thanks. Dmitry.

David Zülke wrote:
> This sounds like a serious issue, but I'm not sure if it's in libxml or
> in ext/soap. Will have a look later; but maybe Dmitry or someone else
> knows off the top of their heads?
> 
> - David
> 
> 
> Begin forwarded message:
> 
>> From: Davide Romanini <davide.romanini@gmail.com>
>> Date: 30. Juni 2009 11:49:30 MESZ
>> To: soap@lists.php.net
>> Subject:  SOAPClient authentication problem
>> Reply-To: d.romanini@cineca.it
>>
>> Hi,
>>
>> Today I found a nasty problem with a simple php SOAP client. Never had
>> problems before, but today I have the following error at SOAPClient
>> constructor line:
>>
>> SoapClient::SoapClient(http://www.w3.org/2001/xml.xsd): failed to open
>> stream: HTTP request failed! HTTP/1.1 401 Authorization Required
>>
>> The source is as simple as:
>>
>> $client = new SoapClient("http://my.host.com/my_web_service?wsdl";,
>>                         array( 'trace' => TRUE,
>>                                'login'=>'mylogin',
>>                                'password'=>'secret'
>>                              )
>>                        );
>>
>> It seems that the php xml parser tries to fetch the url
>> http://www.w3.org/2001/xml.xsd at wsdl parsing time. Sniffing the
>> network operations I found that php uses my login and password (for the
>> web service) also to access external references! :-O
>>
>> GET /2001/xml.xsd HTTP/1.0
>> Authorization: Basic bXlsb2dpbjpzZWNyZXQ=
>> Host: www.w3.org
>>
>> In the past probably w3.org just ignored the issue, but now I receive an
>> HTTP 401 Unauthorized error in response...
>>
>> In any case it is a serious security issue if SOAPClient sends password
>> around the web, when the intent is that they are used only for the web
>> service host!
>>
>> I tried the following PHP versions:
>>
>> PHP 5.2.3-1ubuntu6.5 (cli) (built: Feb 11 2009 19:55:53)
>> Copyright (c) 1997-2007 The PHP Group
>> Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies
>>
>> PHP 5.2.8 (cli) (built: Dec 17 2008 00:54:27)
>> Copyright (c) 1997-2008 The PHP Group
>> Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies
>>    with Zend Extension Manager v1.0.11, Copyright (c) 2003-2006, by
>> Zend Technologies
>>    with Zend Optimizer v3.2.0, Copyright (c) 1998-2006, by Zend
>> Technologies
>>    with Zend Debugger v5.2.2, Copyright (c) 1999-2006, by Zend
>> Technologies
>>
>>
>> Regards,
>> Davide
>>
>> -- 
>> PHP Soap Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>>
> 

-- 
PHP Soap Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [PHP Users]     [Kernel Newbies]     [PHP Database]     [Yosemite]

  Powered by Linux